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Abstract:  A  variant  of  the  <lrinkiiij^  philosophers  algorithm  of  Clmndy  and  Misra 
is  described  and  proved  correct  in  u  modular  way,  using  the  I/O  automaton  model 
of  Lynch  and  Tuttle.  The  algorithm  of  Chandy  and  Misra  is  based  on  a  particular 
dining  philosophers  algorithm,  and  relies  on  certain  properties  of  its  implementa¬ 
tion.  The  drinking  philosophers  algorithm  presented  in  this  paper  is  able  to  use 
an  arbitrary  dining  philosophers  algorithm  as  a  true  subroutine;  nothing  about 
the  implementation  needs  to  be  known,  only  that  it  solves  the  dining  philosophers 
problem.  An  important  advantage  of  this  modularity  is  that  by  substituting  a 
more  time-efficient  dining  philosophers  algorithm  than  the  one  used  by  Chandy 
and  Misra,  a  drinking  philosophers  algorithm  with  0(1)  worst-case  waiting  time  is 
obtained,  whereas  the  drinking  philosophers  algorithm  of  Chandy  and  Misra  has 
0(/t)  worst-case  waiting  time  (for  n  philosophers).  Fo;  on!  definitions  are  given  to 
distinguish  the  drinking  and  dining  philosophers  problems  and  to  specify  precisely 
v,  /ing  degrees  of  concurrency. 

Key  words:  dining  philosopher's,  distributed  algorithms,  drinking  philosopher's, 
modularity,  resource  allocation,  time  complexity. 


1.  Introduction 

We  present  a  modular  description  and  proof  of  correctness  for  an  algorithm  to 
solve  the  drinking  philosophers  problem  in  a  message-passing  distributed  system. 
Our  algorithm  uses  an  arbitrary  solution  to  the  dining  philosophers  problem  us  a 
subroutine;  by  using  a  timc-cfficicnt  subroutine,  one  can  obtain  a  drinking  philoso¬ 
phers  algorithm  with  0(1)  worst-case  waiting  time.  Formal  definitions  arc  given  to 
distinguish  the  drinking  and  dining  philosophers  problems  and  to  specify  precisely 
varying  degrees  of  concurrency. 

The  drinking  philosophers  problem  is  a  dynamic  variant  due  to  Chandy  and 
Misra  (19S4)  of  the  dining  philosophers  problem,  a  much-studied  resource  alloca¬ 
tion  problem.  In  the  original  dining  philosophers  problem  of  Dijkstra  (1971),  five 
philosophers  (processes)  arc  arranged  in  a  ring  with  one  fork  (resource)  between 
each  pair  of  neighbors,  and  in  order  to  eat  (do  work),  a  philosopher  must  have  ex¬ 
clusive  access  to  both  of  its  adjacent  forks.  A  more  general  version  of  the  problem 
allows  any  number  of  processes  and  puts  no  restrictions  on  which  processes  share 
resources.  In  the  drinking  philosophers  problem,  for  each  process  there  is  a  maxi¬ 
mum  set  of  resources  that  it  can  request,  and  each  time  a  process  wishes  to  do  some 
work,  it  may  request,  an  arbitrary  subset  of  its  maximum  set. 


o 


Our  drinking  philosophers  algorithm  is  tt  variant  of  the  one  of  Clmndy  and  Misra 
(19S4).  Their  algorithm  is  based  on  a  particular  dining  philosophers  algorithm,  and 
relies  on  certain  properties  of  its  implementation.  Our  drinking  philosophers  algo¬ 
rithm  is  able  to  use  an  arbitrary  dining  philosophers  algorithm  as  a  true  subroutine; 
nothing  about  the  implementation  needs  to  lx*  known,  only  that  it  solves  the  dining 
philosophers  problem.  We  show  that  in  a  system  of  n  philosophers  the  maximum 
waiting  time  for  a  drinking  philosopher  to  enter  its  critical  region  is  roughly  equal  to 
the  maximum  waiting  time  for  a  dining  philosopher  to  enter  its  critical  region  in  the 
subroutine.  Thus,  by  replacing  the  dining  philosophers  algorithm  of  Clutndy  and 
Misra  (19S4),  which  has  waiting  time  0(n).  with  a  dining  philosophers  algorithm 
such  as  the  one  of  Lynch  (19S1),  which  has  waiting  time  0(1),  we  obtain  a  more 
efficient  drinking  philosophers  algorithm. 

We  provide  definitions  that  distinguish  the  drinking  and  dining  philosophers 
problem,  and  that  specify  precisely  varying  degrees  of  concurrency.  We  use  the 
model  of  Lynch  and  Tuttle  (19S7),  which  is  useful  for  stating  properties  that  concern 
the  infinite  behavior  of  a  system,  such  as  no-dcadlock  and  no-lockout,  and  which 
supports  modular  algorithm  design  and  verification.  This  model,  together  with  the 
particular  definitions  developed  in  this  paper  for  expressing  the  safety  and  livencss 
properties  for  resource  allocation  problems,  make  i>os.sible  a  clear  and  precise  proof 
of  correctness  for  our  construction. 

In  Section  2,  the  dining  philosophers  and  drinking  philosophers  problems  are 
defined.  In  Section  3,  we  describe  our  algorithm,  as  an  automaton.  Section  4 
contains  the  proof  of  correctness  of  our  algorithm,  and  Section  5  analyzes  the  per¬ 
formance  of  our  algorithm  with  respect  to  various  complexity  measures.  Section  6 
contains  our  conclusions. 

2.  Problem  Statement 

There  are  n  user  processes  in  the  system  being  modeled,  and  at  various  times, 
each  one  needs  some  of  the  system  resources.  Only  one  user  at  a  time  may  have 
access  to  any  one  resource.  Each  user’s  states  are  partitioned  into  four  regions.  In 
its  trying  region ,  the  user  is  vying  for  access  to  its  required  resources.  Once  the 
resources  are  obtained,  the  user  may  enter  its  critical  region.  When  the  user  is 
through  with  the  resources,  it  enters  its  exit  region ,  which  usually  involves  some 
“cleaning  up”  activities.  Otherwise,  the  user  is  in  its  remainder  region.  The  user 
cycles  through  these  four  regions. 
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A  resource  allocation  algorithm  decides  which  user  gets  which  resources  nt 
which  time;  thus,  it  supplies  the  code  for  the  trying  and  exit  regions.  A  distributed 
resource  allocation  algorithm  consists  of  one  component  for  each  user;  the  compo¬ 
nents  communicate  with  each  other  by  message  passing. 

We  define  two  resource  allocation  problems,  dining  philosophers  and  drinking 
philosophers,  as  external  schedule  modules,  that  is,  as  sets  of  allowable  interactions 
between  inputs  and  outputs.  (See  Appendix  A  for  a  summary  of  the  I/O  automaton 
model  of  Lynch  and  Tuttle  (19S7).}  Wo  imagine  an  automaton  that,  given  input 
from  some  number  of  users  informing  the  automaton  of  their  desire  to  gain  or 
give  up  a  set  U  of  resources  (with  input  actions  Tt{U)  and  Ei{V)  for  each  user  »). 
decides  which  users  are  allowed  to  enter  their  critical  and  remainder  regions  at  which 
times  (with  output  actions  C,(l;)  and  /?,((’))•  The  automaton,  then,  represents  the 
algorithm  used  to  allocate  the  resources. 

In  the  dining  philosophers  problem,  each  user  (or  philosopher)  always  requests 
the  same  set  of  resources.  In  the  drinking  philosophers  problem,  each  user  can 
request  a  different  set  of  resources  each  time  it  enters  its  trying  region. 

We  consider  several  versions  of  the  dining  and  drinking  philosophers  problems, 
each  satisfying  successively  stronger  liveness  proi>crtics.  First  we  define  the  basic 
dining  and  drinking  philosophers  problems,  which  only  satisfy  safety  conditions. 
Then  the  no-dendlock  versions  are  defined,  in  which  jis  long  as  some  user  is  in 
its  trying  region,  eventually  some  user  enters  its  critical  region.  In  the  no-lockout 
versions,  jmy  user  that  enters  its  trying  region  eventually  enters  its  critical  region. 
The  no-dcadlock  and  no-lockout  conditions  assume  that  no  user  keeps  resources 
forever. 

A  dining  philosophers  algorithm  can  be  used  to  solve  the  drinking  philosophers 
problem  by  treating  each  resource  request  as  s»  request  for  the  entire  set  of  resources 
which  that  user  will  ever  need.  However,  users  may  be  blocked  unnecessarily  in 
such  a  scheme.  A  prefemble  solution  would  not  rule  out  two  users  that  share  ji 
resource  from  entering  their  critical  regions  simultaneously,  if  their  current  resource 
requirements  are  disjoint.  We  capture  part  of  this  intuition  by  defining  the  “inore- 
concurrent”  condition  for  the  drinking  philosophers  problem  —  if  a  user  requests  a 
set  of  resources,  none  of  which  is  currently  being  sought  or  used  by  another  user, 
then  the  first  user  eventually  enters  its  critical  region,  even  if  some  other  resources 
are  never  relinquished.  (In  our  conclusions  we  discuss  even  stronger  forms  of  the 
drinking  philosophers  problem.) 
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Let  S  be  a  finite  non-empty  set  of  resources.  Define  an  n-mcr  resource  require¬ 
ment  to  be  a  collection  of  n  sets  S,\  1  <  /  <  «,  such  that  cnch  S;  is  a  non-empty 
subset  of  St  and  no  resource  is  in  more  Mum  two  S-,'n.  The  last  restriction  makes 
the  algorithm  much  simpler  to  describe  and  reason  nixmt,  but  is  not  substantial. 
If  a  resource  is  shared  by  k  users,  then  it  can  be  represented  by  k  choose  2  virtual 
resources,  one  shared  between  each  pair  of  the  original  k  risers;  to  gain  the  “real” 
resource,  a  user  must  gain  the  k  -  1  virtual  resources  shared  with  it. 

In  the  context  of  the  dining  philosophers  problem,  resources  will  be  referred 
to  as  forks ;  in  the  context  of  the  drinking  philosophers  problem,  resources  will  be 
referred  to  as  bottles. 

2-1  Dining  Philosophers 

Fix  an  n-user  fork  requirement  F  =  {F; :  1  <  t  <  n}.  The  following  definitions 
are  all  made  relative  to  this  fork  requirement. 

For  each  i,  let  the  set  (T,-, C';, E\. /?,-}  be  denoted  F-TCERi.  (The  letter  F 
stands  for  “fork.”)  T;  is  the  action  by  which  user  t  enters  its  trying  region,  desiring 
the  resources  Fj,  and  analogously  for  the  other  actions  and  regions.  Since  cnch  user 
i  must  request  the  same  set  JP;  of  forks  each  time,  we  do  not  explicitly  include  the 
set  of  forks  in  the  action  names.  Let  F-TCER  =  F-TCERi. 

In  order  to  specify  the  external  schedule  module  for  the  dining  philosophers 
problem,  we  define  the  following  predicates  on  any  sequence  a.  (Throughout  this 
paper,  Greek  letters  stand  for  sequences  from  a  set,  and  Roman  letters  for  single 
elements.)  If  or  is  a  sequence  from  a  set  5  and  T  is  a  subset  of  S,  then  a\T  is  defined 
to  be  the  subsequence  of  or  consisting  of  elements  in  T. 

•  or  is  dining-soell- formed  if  for  all »,  the  subsequence  of  o  restricted  to  F-TCER; 
conforms  to  the  pattern  T;C; E;Il; . . .. 

•  or  satisfies  (REL-F)  if  for  all  /,  if  oj F-TCER;  is  finite,  then  a\F-TCERi  does 
not  end  in  C;.  (REL-F)  states  that  every  user  eventually  releases  the  resources 
it  is  granted,  by  leaving  its  critical  region. 

•  a  satisfies  (EX-F)  if  for  all  i  and  jf,  i  ^  j,  if  a  =  /?i  CifcCjfc  and  if  F; fl Fj  ^  0, 
then  #2  contains  E-t.  (BX-F)  states  that  cnch  user  lias  exclusive  access  to  a 
needed  resource  when  it  is  in  its  critical  region. 
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•  or  satisfies  (ND-F)  if  for  nil  »,  if  o| F-TCER  is  finite,  then  «\F-TCER;  ends 
in  Ri  or  is  empty.  (ND-F)  states  that  tin*  system  is  not  deadlocked,  i.c.,  that 
users  stop  taking  steps  only  if  they  are  all  in  their  remainder  regions. 

•  or  satisfies  (NL-F)  if  for  all  /,  if  n\F-TCER,  is  finite,  then  ct\F-TCERi  ends  in 
Ri  or  is  empty.  (NL-F)  states  that,  the  system  has  no-lockout,  i.e.,  that  any 
individual  user  stops  taking  steps  only  if  it  is  in  its  remainder  region. 

The  dining  philosophers  problem  for  F  is  the  external  schedule  module  DiPh 
such  that: 

•  in(DiPh)  ss  E{ :  1  <  i  <  »»}, 

•  aut(DiPh)  —  {Cf,  /?, :  1  <  *  <  n}, 

•  DiPh  preserves  dining-well-formedness  (see  Appendix  A  for  the  definition  of 
“preserves”),  and 

•  schcds(DiPh)  is  the  set  of  all  sequences  <v  of  actions  satisfying  the  following 
implication: 

Exclusion:  If  cv  is  dining- well-formed,  then  o  satisfies  (EX-F). 

The  exclusion  implication  states  that  if  the  schedule  is  d i n i ng-wcl  1- formed ,  then 
no  two  users  arc  in  their  critical  regions  :»t  the  same  time  with  the  same  resource. 

The  no-deadlock  dining  philosophers  problem  for  F  is  the  external  schedule 
module  that  is  the  same  ns  the  dining  philosophers  problem  except  that  in  addition 
to  the  exclusion  implication,  schedules  must  satisfy  the  following  implication: 

No-deadlock:  If  or  is  dining-well-formed  and  o  satisfies  (REL-F),  then  o  satisfies 
(ND-F). 

The  no-dcadlock  implication  states  that  if  the  schedule  is  <1  i ni ng-wcll- formed  and  no 
user  keeps  resources  forever  (by  staying  in  its  critical  region  forever),  then  eventually 
some  user  will  enter  its  critical  region. 

The  no-lockout  dining  philosophers  problem  for  F  is  the  external  schedule  mod¬ 
ule  that  is  the  same  :is  the  dining  philosophers  problem  except  that  in  addition  to 
the  exclusion  implication,  schedules  must  satisfy  the  following  implication: 

No- lockout:  If  a  is  dining- well-formed  and  a  satisfies  (REL-F),  then  a  satisfies 
(NL-F). 

The  no-lockout  implication  states  that  if  the  schedule  is  dining- well-formed  and  no 
user  keeps  resources  forever  (by  staying  in  its  critical  region  forever),  then  eventually 
every  user  that  wishes  will  enter  its  critical  region. 
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2.2  Drinking  Philosophers 


Fix  an  n-user  l>ottlc  requirement  8  =  {JJ,  :  1  <  t  <  «}.  The  following 
definitions  are  made  relative  to  this  bottle  requirement;  most  arc  analogous  to 
those  in  Section  3.1.  Two  new  conditions,  (N$B),  and  (NOV-13),,  both  indexed  by 
user  id  i,  arc  used  to  create  implications  to  distinguish  the  drinking  philosophers 
problem  from  the  dining  philosophers  problem,  as  will  be  discussed. 

For  each  i\  let  the  set  {Ti(D)%Ci(D).EjlDlRi{B)  :  B  C  £?,  and  B  $  0}  be 
denoted  D-TCER (The  letter  D  stands  for  “bottles.”)  Let  B-TGER  =  R- 
TCER-,.  The  following  pre<licates  arc  defined  for  any  sequence  or. 

•  or  is  drinking-wtlUformtd  if  for  all  i,  the  subse<jucnce  of  o  restricted  to  D-  TCER, 
conforms  to  the  pattern  TKB)CHi?)£,(Z?)/?l(/l)ri(J3')C,(2?')i?i(5')/?,(B') . . .. 

•  or  satisfies  (REL-B)  if  for  all  i,  if  o| D-TCER-,  is  finite,  then  a\D-TCER{  docs 
not  end  in  Ci(B)  for  any  B.  (REL-D)  states  that  every  user  eventually  releases 
all  resources  that  it  is  granted,  by  leaving  its  critical  region. 

•  a  satisfies  (EX-D)  if  for  all  i  and  j.  i  ?£  j\  if  <v  =  0\C-,{B)faC){B,)fa  and 
if  B  ( i  B1  0,  then  fa  contains  E,(U).  (EX-B)  states  that  every  user  has 
exclusive  access  to  needed  resources  when  it  is  in  its  critical  region. 

•  or  satisfies  (ND-D)  if  for  all  »,  if  <\\B- TCER  is  finite,  then  a| B-TCER-,  ends  in 
Ri(B)  for  some  B  or  is  empty.  (ND-B)  states  that  the  system  is  not  deadlocked, 
i.c.,  that  users  stop  taking  steps  only  if  all  users  arc  in  their  remainder  regions. 

•  or  satisfies  (NL-B)  if  for  all  i,  if  or) B-TCER-,  is  finite,  then  (\\F-TCER,  ends  in 
Ri{B)  for  some  B  or  is  empty.  (NL-B)  states  that  the  system  has  no-lockout, 
i.e.,  that  any  particular  user  stops  taking  steps  only  if  it  is  in  its  remainder 
region. 

The  drinking  -philosopher*  problem  for  8  is  the  external  schedule  module  DrPh 
such  that: 

•  in(DrPh)  =  {T;(E),E;(£) :  1  < »  <  «, D  C  B,  and  B  ^  0), 

•  oui(DrPh)  =  {Ci(B)x  Ri{B) :  1  <  /  <  n, B  C  J3,  and  B  ^  0), 

•  DrPh  preserves  drinking-wcll-fonnedncss,  and 

•  scheds(DrPh)  is  the  set  of  all  sequences  a-  of  actions  satisfying  the  following 
implication: 

Exclusion:  If  or  is  drinking-well-fonncd.  then  a  satisfies  (EX-B). 
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The  no-deadlock  drinking  philosophers  problem  for  B  is  the  external  schedule 
module  that  is  the  same  as  the  drinking  philosophers  problem  except  that  in  addition 
to  the  exclusion  implication,  schedules  must  satisfy  the  following  implication: 

No-deadlock:  If  a  is  drinking-well-formed  and  a  satisfies  (REL-B),  then  o  satisfies 
(ND-B). 

The  no-lockout  drinking  philosopher.*  problem  for  £>  is  the  external  schedule 
module  that  is  the  same  ns  the  drinking  philosophers  problem  except  that  in  addition 
to  the  exclusion  implication,  schedules  must  satisfy  the  following  implication: 

No-lockout:  If  a  is  drinking-well-formed  and  o  satisfies  (REL-B),  then  or  satisfies 
(NL-B). 

The  next  two  predicates  are  introduced  to  create  an  implication  that  will  dis¬ 
tinguish  between  the  drinking  and  dining  philosophers  problems. 

•  (NOV-B)f  (1  <  *  <  «)  For  all  j  and  any  IS  and  B'  with  B  D  B'  ^  0: 

(1)  if  <v  =  then  contains  C, -(/?);  and  (2)  if  o  = 

fllTj(B')p2Ti(B)0i,  then  &  contains  Ej(B').  (NOV-B),-  (NOV  for  “no  over¬ 
lap")  states  that  whenever  user  i  requests  a  resource,  (1)  no  other  user  requests 
that  resource  until  after  user  i  enters  its  critical  region,  and  (2)  any  other  user 
that  has  previously  requested  that  resource  has  already  released  it. 

•  (NS-B),’  (1  <  i  <  n)  If  a\D-TCERi  is  finite,  then  o| D-TCERi  does  not  end  in 
Tf(J3)  or  £,(/?)  for  any  B.  (NS-B),  (NS  for  “not  stuck”)  states  that  user  i  is 
never  stuck  in  its  trying  or  exit  regions. 

The  next  problem  statement  requires  a  degree  of  concurrency  in  the  drink¬ 
ing  philosophers  problem,  concerning  users  being  simultaneously  in  their  critical 
regions,  that  cannot  be  obtained  with  a  dining  philosophers  algorithm. 

The  more-concurrent  drinking  philosophers  problem  for  B  is  the  external  sched¬ 
ule  module  that  is  the  same  ns  the  drinking  philosophers  problem  except  that  in 
addition  to  the  exclusion  implication,  schedules  must  satisfy  the  following  n  impli¬ 
cations: 

More  concurrent  for  i,  1  <  /  <  n :  If  rv  is  drinking- well-formed  and  satisfies  (NOV- 
B),,  then  o  satisfies  (NS-B),. 

For  each  i,  the  implication  “more  concurrent  for  i”  states  that  as  long  as  the 
no  overlap  condition  is  true  for  i,  ?  will  eventually  enter  its  critical  region,  even  if 
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some  user  j,  -with  Bt  n  Bj  yk  0,  stays  in  i*s  critical  region  forever  (of  course,  j  must 
have  only  resources  not  needed  by  £}.  Thus,  simply  using  n  dining  philosophers 
algorithm  for  B  would  not  satisfy  this  implication,  since  user  i  would  be  stuck  in 
its  trying  region  forever. 

The  no- lockout  and  more-concurrent  drinking  philosophers  problems  are  in¬ 
comparable  in  the  sense  that  there  is  an  algorithm  for  the  first  that  docs  not  solve 
the  second  and  vice-versa. 

3.  Drinking  Philosophers  Automaton 

In  this  section  we  describe  an  automaton  Drink(6)  to  solve  the  drinking  philoso¬ 
phers  problem  for  the  n-user  bottle  requirement  B  =  {!?,*  :  1  <  i  <  «},  in  a 
message-passing  distributed  system.  It  is  created  by  composing  several  automata, 
to  be  described,  and  then  hiding  most  of  the  actions,  in  order  for  the  external  actions 
to  be  consistent  with  the  definition  of  the  problem.  Tire  component  automata  are 
D(t),  for  1  <  i  <  n,  and  any  automaton  Dinc(B)  that  solves  the  dining  philosophers 
problem  for  B.  D(t)  represents  the  part  of  the  drinking  philosophers  algorithm  for 
user  i;  Dine(B)  is  the  subroutine.  First  we  describe  the  algorithm  informally,  then 
we  present  the  D(i)  automata,  and  then  we  define  DrintyB). 

When  drinker  i  enters  its  trying  region  needing  a  certain  set  of  resources,  it 
sends  requests  for  those  that  it  needs  but  lacks.  Recipient  j  of  a  request  satisfies 
the  request  unless  j  currently  also  wants  the  resource  or  is  already  using  it.  In  the 
latter  two  cases,  j  defers  the  request  and  satisfies  it  once  j  is  finished  using  the 
resource. 

In  order  to  prevent  drinkers  from  deadlocking,  a  dining  philosophers  algorithm 
is  used  as  a  subroutine.  The  “resources”  manipulated  by  the  dining  subroutine 
are  priorities  for  the  “real”  resources  (then'  is  one  dining  resource  for  each  drinking 
resource).  As  soon  as  drinker  i  is  able  to  do  so  in  its  drinking  trying  region  (without 
violating  dining- well-formedness),  it  enters  its  dining  trying  region,  that  is,  it  tries 
to  gain  priority  for  all  its  udjacent  resources.  If  i  ever  enters  its  dining  critical  region 
while  still  in  its  drinLng  trying  region,  it.  sends  demands  for  needed  bottles  that  are 
still  missing.  A  recipient  j  of  a  demand  must  satisfy  it  even  if  j  wants  the  resource, 
unless  j  is  using  the  resource.  In  the  latter  case,  j  defers  the  request  and  satisfies 
it  when  j  is  through  using  the  resource. 

Once  drinker  i  is  in  its  dining  critical  region,  we  can  show  that  it  eventually 
receives  all  its  needed  resources  and  never  gives  them  up.  Then  it.  may  enter  its 
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drinking  critical  region.  When  t  enters  its  drinking  critical  region,  it  relinquishes 
its  dining  critical  region.  The  benefits  of  having  the  priorities  are  no  longer  needed. 
Doing  so  allows  some  extra  concurrency:  even  if  >  stays  in  its  drinking  critical  region 
forever,  other  drinkers  needing  other  resources  can  continue  to  make  progress. 

A  couple  of  points  about  the  code  deserve  explanation.  We  can  show  that  when 
a  request  is  received,  the  resource  is  always  at  the  recipient;  thus  it  is  not  necessary 
for  the  recipient  to  check  that  it  has  the  resource  before  satisfying  or  deferring  the 
request.  However,  it  is  possible  for  old  leftover  demands  to  be  in  the  system,  so 
before  satisfying  or  deferring  a  demand,  the  recipient  must  check  that  it  has  the 
resource. 

Another  point  concerns  when  tire  actions  of  tire  dining  subroutine  should  be 
performed.  Drinker  t’s  dining  output  actions  are  T;  and  £?;  and  are  enabled  (using 
Boolean  flags)  in  such  a  way  as  to  preserve  dining-well-formedness.  Some  drinkers 
could  be  locked  out  if  drinker  i  never  relinquishes  the  dining  critical  region.  To 
avoid  this  situation,  i  cannot  enter  its  drinking  critical  or  remainder  regions  as  long 
as  Ei  is  enabled.  The  ihirness  assumption  alxmt  tire  underlying  model  ensures  that 
once  E(  is  enabled  eventually  i  enters  its  dining  exit  region,  after  which  it  may  enter 
the  appropriate  drinking  region. 

We  now  present  the  automaton  D(»). 

The  set  of  possible  message*  is  .$«*(&)» dcm(fc) :  b  €  5}. 

The  state  of  D(i)t  1  <  i  <  u,  consists  of  values  for  the  following  variables: 
drink-region(i)>  dine-rcgion(i),  deferred(i ),  boitle.:(i)^  rcq-bottles(i)t  buff(itj)  for  all 
j  j-  it  do-T(i ),  and  do-E(i).  The  region[i)  variables  take  on  the  values  T.  C,  E  and 
Ji,  and  indicate  which  region  the  i,h  dining  and  i,h  drinking  philosophers  are  in.  The 
deferred[i)  variable  is  a  set  of  pairs  (/»,  j).  indicating  that  user  j' s  request  for  bottle 
b  has  been  deferred  at  user  i.  The  bottles[i)  and  rcq-bottlcs(i)  variables  are  sets  of 
bottles,  and  indicate  which  bottles  user  /  has  mid  which  it  requires,  respectively. 
For  each  j  qk  t,  the  variable  bufj[ij)  is  a  FIFO  queue  of  messages  from  D(i) 
to  send  to  D(j)t  and  is  manipulated  with  operations  enqueue  and  dequeue.  The 
do-T(i)  and  do-E(i)  variables  are  Boolcans  and  control  when  the  output  actions 
T;  and  Ej  respectively  are  enabled.  In  the  unique  stmt  state,  the  reyi<m(t)’s  are 
R]  deferred(i)t  rcq-bottlc>(i),  and  all  the  huffcij)  arc  empty;  do~T(i)  and  do-E(i) 
are  false;  and  bottlcs(i)  is  an  arbitrary  subset  of  J5,\  (We  have  actually  defined  a 
class  of  automata  X?(t),  with  different  start  states,  depending  on  the  initial  value  of 
boltles(i).  Later,  we  will  require  consistency  between  the  D(i)'s.) 
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The  notions  of  D(i)  me  listed  Mow,  together  with  their  preconditions  and 
effects.  (There  are  no  internal  Actions.)  First  we  define  two  macros,  SAT  and 
DEFER.  SAT  satisfies  a  request  or  demand  from  D(j)  for  bottle  b  by  sending  the 
message  sat(b)  to  D(j)  and  removing  b  from  bottks(i)  and  ( bj )  from  dcfcrrtd(i). 
DEFER  defers  a  request  or  demand  from  D[  j)  for  bottle  />,  if  6  is  currently  required 
by  Z?(t),  by  adding  (&,;')  to  defcrrcd(i)\  if  b  is  not  currently  required,  then  the 
request  or  demand  is  satisfied. 

SAT(itbJ )  ==  enqucuefit^i,  j)„ot  <(//)) 

bottlc*(i)  4—  bottlcs(i)  —  {b} 
dcferrtd(i)  *—  defemd{i)  -  {(bj)) 

DEFER(i)bJ)  ==  if  b  €  rtq.battlcs(i)  then  dr.fcrred(i)  4-  dcfcrrcd(i)  U  {(bj)) 
else  SAT(i%bJ) 


Input  actions: 

•  Ti(fl),  D  C  Di 

Effect: 

drink-rtgion(i)  T 
rcq-bottlcs(i)  D 

for  all  j  £  i  and  b  €  rcq-bottlcs(i)  H  By. 

if  b  $  bottlcs(i)  then  cnqueue(itt^(i',i),re(f(6)) 
if  dinc~rtgion{i )  =  R  then  do-T[i)  *-  true 

•  Ei(B),  D  C  Bi 

Effect: 

drink-rcgion(i)  4—  E 

for  all  (bj)  €  defcrrcd(i):  SAT(i.bJ) 

•  dclivcr($at(b)tj,i )  for  all  j  ^  t,  b  €  J3;  H  Dj 

Effects: 

botiles(i)  4—  botticaii )  U  {!>} 

•  dclivei^veq^tyjt  i)  for  all  j  ^  »,  b  €  Bi  H  Bj 

Effects: 

if  drink-rcgion(i)  =  T  or  drink-rcgion{i }  =  C 
then  DEFER(i,b,j) 
else  SAT(i,b,j) 

•  delivcr(dem(b)tj ,  i)  for  all  j  ^  i,  &  6  I?,  fl  Bj 
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Effect: 

if  ft  €  bottics(i)  then 

if  drink~rtgi(n(i)  —  C  or  (drink*Tt$ioit(i)  =  T  £:  dme-re$t«n(i)  =  C) 
then  DEFERS bj) 
else  SAT(i,b,j) 

•  C, 

Effect: 

<ftne-re£ton({)  ♦-  C 
if  irink'Tcgion(i)  =  T  thru  ( 

for  all  j  ^  i  and  &  €  rtq'boUlts(i)  C\Bj  :  if  b  £  bottlet(i)  then 
m<iut\i*(bufl(ij)%tkm(b))  ] 
else  do-E(i)  *—  true 

•  Hi 

Effect: 

dine-rzgion(i)  ♦-  /l 

if  drink-rcgion(i)  =  T  then  du-T{i)  *—  true 

Output  actions: 

.  C,(B)f  B  C 

Precondition: 

drink-Ttgion(i)  =  T 
I?  =  rcq-bottlcs(i)  C  boUlet(i) 
do-E(i)  =  false 
Effect: 

drink-rcgion(i )  ♦—  C 

if  dinc-rcgion{i)  =  C  then  do-E(i)  *-  true 

•  B  C  B; 

Precondition: 

drink-rcgion(i)  =  £ 

B  —  req-boiUa(i) 
do-E(i)  =  false 
Effect: 

drink-rcgion(i) «—  /i 

•  delive^niyiyj)  for  all  j  5^  i,  m  €  {»'cq( /»)>  sut(b)y  dem(fc) :  b  €  B-,  H  J3;} 

Precondition: 
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m  is  nt  head  of  buff[ij) 
Effect; 


•  Tf 

Precondition: 

io-T(i)  =  true 
Effect: 

iinC‘Tcgi<>n(i)  *-  T 
io-T{i)  *-  false 

.  J5f 

Precondition: 

do-E(i)  s=  true 
Effect: 

dinc-rtgion(i)  E 
do-E(i)  4-  false 

The  output  actions  of  JD(<)  are  partitioned  into  n  classes,  one  for  the  deliv¬ 
ery  of  messages  in  each  buff[ij)^  and  one  for  all  the  other  actions.  Formally,  the 
subsets  of  the  output  actions  are  {C,(B),  B;(B),  T;,  Et  :  B  C  2?;},  and  for  each 
j  ^  {de/iver(m,»,j) :  w  —  rcg(6),  </e m(6),  or  «<it(6),  b  €  JO*  H  } .  This  partition 
guarantees  that  messages  are  eventually  delivered  in  fair  executions,  since  the  mes¬ 
sage  queues  are  FIFO.  In  essence,  the  buff  variables  are  modeling  separate  pieces  of 
hardware,  the  communication  links. 

A  set  of  automata  {D(i) :  1  <  i  <  n}  is  reiaurcc-compatiblc  if  for  all  i,  and  all 
b  in  B,-:  b  is  in  boitUi(j)  in  the  start  state  of  D(j)  for  exactly  one  j.  Let  Dine(B) 
be  an  automaton  whose  input  actions  arc  {T;,  £;  :  1  <i<n)  and  whose  output 
actions  are  {(?,-,  B; :  1  <  i  <  n}.  The  automaton  Drink(B)  is  formed  by  composing 
a  resource-compatible  set  {D(i)  :  1  <  i  <  u},  and  Dinc(B),  and  then  hiding  all 
actions  except  U"^,  B-TCERj.  See  Figure  1. 


4.  Proof  of  Correctness 

In  Section  4.1,  we  show  that  Drink(B)  solves  the  drinking  philosophers  problem, 
that  is,  the  safety  properties  are  true,  regardless  of  the  behavior  of  the  Dinc(B ) 
subroutine.  Section  4.2  consists  of  the  proof  that  Drinl{B)  solves  the  no-deadlock 
(resp.,  no-lockout)  drinking  philosophers  problem  if  the  Dinc(B)  subroutine  solves 
the  no-deadlock  (resp.,  no-lockout)  dining  philosophers  problem.  In  Section  4.3 
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we  show  that  Dine(B)  solves  the  more-concurrent  drinking  philosophers  problem  if 
the  Dine(B)  subroutine  preserves  dining- well-formedness.  The  proofs  rely  heavily 
on  invariants  about  the  states  of  the  automata.  The  proofs  of  the  invariants  are 
relegated  to  Appendix  B. 

4.1  Drinking  Philosophers 

We  show  that  Drink(B)  solves  the  drinking  philosophers  problem,  regardless  of 
the  behavior  of  Dinc(B),  That  is,  we  show  that  correct  exclusion  is  maintained  by 
the  algorithm,  although  no  liveness  properties  are  guaranteed.  Three  lemmas  are 
used  in  the  proof  of  the  main  result.  Theorem  4.  Lemma  1  states  some  simple  re¬ 
lationships  between  states  and  actions  in  an  execution,  for  example,  drink-rcgion(i) 
and  dint-rcgion(i)  reflect  the  most  recent  drinking  and  dining  actions  at  node  i. 
Lemma  2  asserts  that  Drink(B)  preserves  drinking-wcll-formedness.  Lemma  3  con¬ 
sists  of  several  invariants  needed  to  show  the  exclusion  property. 

Let  buff(i%j)\b  be  the  subsequence  of  buffcij)  consisting  exactly  of  sat(b), 
req(b )  and  dem(b). 

Lemma  1:  Let  t  =  sgaiSj ...  be  an  execution  of  Drink(B).  Choose  any  i  and  m, 
with  1  <  i  <  n  and  sm  in  e. 

(a)  Let  k  be  the  largest  integer  such  that  k  <  m  and  a*  is  in  B-  TCERi.  (Let 
k  =  0  if  there  is  no  such  a*.)  If  k  =  0  or  at  =  Ri{B),  then  drink-region(i)  =  R 
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ill  $M.  If  at  =  Ti(B),  then  drink-regian(i)  -  T  in  sm.  If  at  ==  C'i(B),  then  drink ■ 
region(i)  =  C  in  sm.  If  at  ~  Ei{B),  then  drink-rcgion(i )  =  E  in  sm. 

(b)  Let  k  be  the  largest  integer  such  that  k  <  m  mid  at  s  T,(B)  for  an y  B.  (Let 
k  =  0  if  there  is  no  such  at.)  If  k  =■  0,  then  rr.q-battlcs(i)  =s  0  in  sm;  otherwise 
rcq.bottlcs(i)  —  B  in  sm. 

( c )  Let  k  be  the  largest  integer  such  that  k  <  tu  and  at  is  in  F-TCERj ,  (Let  k  =:  0 
if  there  is  no  such  at.)  If  k  =  0  or  at  =  then  dine-region{i)  =  /l  in  $m,  Jf 
a*  —  T{t  then  dint-rtgionfi)  =  T  in  .*m.  Jf  a*  =  C'i,  then  </mc-rcjion(t)  =  C  in  s,„. 
If  at  ~  then  flttne-re^ionfi)  =  E  in  sm . 

(d)  For  all  j  jk  i,  buffci,j)\b  is  empty  unless  b  is  in  B ,•  H  Bj,  in  sm. 

(e)  If  (bj)  is  in  deferred(i),  then  j  £  *  and  h  is  in  B,-  D  Bj,  for  all  b  and  j,  in  sm. 

Proof:  By  an  easy  induction  on  m,  inspecting  the  code.  □ 

Lemma  2:  Drink(B)  preserves  drinking-well-formedness. 

Proof:  Suppose  cr  is  a  schedule  of  Drink(B ),  and  0a  is  a  prefix  of  a  such  that  /? 
is  drinking-well-formcd  and  a  is  a  locally-controlled  action  of  Drink(B).  We  show 
that  /9a  is  drinking-well-formcd. 

Let  c  be  any  execution  of  Drink(B)  with  schedule  /?«;  let  s  be  the  state  of  e 
between  /9  and  a.  There  are  two  cases. 

Case  1:  a  =  C,(B)  for  some  i  and  B.  We  must  show  that  fi\B-TCER,-  ends  in 
b  =  Ti(B).  By  precondition  of  C,(B),  drink-region(i)  =  T  and  B  =  rcq-bottlcs(i)  in 
s.  By  Lemma  1(a),  b  =  Ti(B')  for  some  B',  and  by  Lemma  1(b),  B'  =  B. 

Case  i:  a  =  Jt,(B)  for  some  i  and  B.  We  must  show  that  0\B-TCERi  ends  in 
6  =  Ei(B).  By  precondition  of  B,(B),  drink-rcgion(i)  =  E  and  B  —  req-hoiilcs(i) 
in  s.  By  Lemma  1(a),  b  =  Ei(B')  for  some  B'.  Since  /9  is  drinking-well-formed, 
/9|B-rC£R;  ends  in  T;(B')Cl(B')£i(B').  By  Lemma  1(b),  B'  =  B.  □ 

The  following  lemma  states  some  invariants  of  the  algorithm,  that  is,  predicates 
true  in  every  reachable  state  of  Drink(B).  Rec.dl  that  each  bottle  is  in  at  most  two 
B;’s. 

Lemma  3:  Let  e  be  an  execution  of  DrinkfB )  whose  schedule  is  drinking-well- 
formed.  Then  in  every  state  of  e,  the  following  are  true,  for  all  i,  j  and  b. 
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(A)  If  b  is  in  BidBj,  i  j,  then  exactly  one  of  the  following  is  true:  b  is  in  bottles(i), 
or  b  is  in  boitlct(j),  or  sat(b)  is  in  bujffiij).  or  sat{b)  is  in  bujftj,i).  If  b  is  in  B-, 
only,  that  b  is  in  batUes{i). 

(B)  If(b,j)  is  in  icferrtd(i),  then 

(a)  b  is  in  boitlet(i), 

(b)  drinkregionij)  =s  T.  and 

(c)  b  is  in  req-bottlc*{j). 

(C)  If  rcq[b)  is  at  the  head  of  buff[ij)\b,  then  b  is  in  battle.^ j). 

(D)  Ifrcq{b)  is  in  buftij),  then 

(a)  at  most  one  re.q(b)  is  in  bujj(itj). 

(b)  no  sat(b)  follows  it  in  buff[i,j), 

(c)  ( 6,i )  is  not  in  icfcrrtd(j), 

(d)  drink-rcgion(i)  =  T, 

(c)  b  is  in  rcqbottUt(i),  and 
(f)  b  is  not  in  botilcs[i). 

(E)  Ifsat(b)  is  in  bujftij).  then 

(a)  at  most  one  snt{b)  is  in  bufl[ij), 

(b)  no  dcm(b)  immediately  follows  it  in  bufl[ij)\b, 

(c)  drmk-rcgion(j)  =  T,  and 

(d)  b  is  in  rcq-botilcs(j). 

(F)  If  dcm(b)  is  at  the  head  of  bufl[i,j)\b  and  b  is  in  bottlcs(j),  then  ( b,i )  is  in 
deferred(j). 

(G)  If  drink-rcgion(i )  =  T  and  b  is  in  rcq-bottlcs(i)  and  b  is  in  Bj,  j  ^  i,  then  exactly 
one  of  the  following  is  true:  rcq[b)  is  in  btijftij),  or  ( b,i )  is  in  icferrcd(j),  orsat(b) 
is  in  buffij,  i),  or  b  is  in  bottles(i). 

(H)  If  b  is  in  req-botties(i)  and  drink-region(i)  —  C,  then  b  is  in  botilcs(i). 

Proof:  In  Appendix  B.  □ 

Here  is  the  main  theorem. 

Theorem  4:  Drink(B)  solves  the  drinking  philosophers  problem  for  B. 

Proof:  Drink(B)  has  the  correct  input  and  output  actions  by  inspection  and  pre¬ 
serves  drinking-well-formedness  by  Lemma  2. 
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Let  e  be  a  fair  execution  of  DrinkiS )  with  schedule  or.  We  verify  the  exclusion 
implication. 

Suppose  a  is  drinking- weli-formed.  We  must  show  o  satisfies  (BX-B).  Suppose 
in  contradiction  that  a  =  or( C\(D  JorjC'y  ( B'  }o 3  for  some  i  and  j,  with  B  n  B'  ^  0, 
yet  o^  contains  no  £j(B).  By  drinking- well-formedness,  i  5c  j.  Let  s  l>e  the  first 
state  of  orj. 

Since  ot  is  drinking- wen-formed,  <\\\B-TCER,  ends  in  T,(B ),  and  cii\B-TCER, 
is  empty.  By  Lemma  1(a)  and  (b),  irini-Tcffion(i)  as  C,  and  B  =s  req*bottles(i)  in  $. 
Thu*-  by  Lemma  3  (H),  B  C  bottlc*(i )  in  s. 

Again  by  drinking-well-formedness,  <\iCi(B)(tt\B-TCERj  ends  in  Ty(B').  By 
Lemma  1(a)  and  (b),  irink-rtgion(j)  ss  C,  and  B1  =  rtq-boitUf(j)  in  s.  Thus  by 
Lemma  3  (H),  B‘  C  bottla(j)  in  s. 

But  since  B  O  B'  ^  0,  there  is  some  &  in  B  0  B',  and  thus  in  B,*  O  By,  such 
that  6  is  in  botilci(i )  and  6  is  in  bottled  j)  in  s.  contradicting  Lemma  3  (A).  Thus  or 
satisfies  (EX-B). 

We  conclude  that  Drink(B)  solves  the  drinking  philosophers  problem.  O 
4.2  No  Deadlock  and  No  Lockout 

In  this  subsection  we  show  that  Drink(B)  solves  the  no-dcadlock  (resp.,  no¬ 
lockout)  drinking  philosophers  problem  if  Dine(B)  solves  the  no-deadlock  (resp., 
no-lockout)  dining  philosophers  problem. 

Lemma  5  consists  of  some  invariants  that  are  useful  in  doing  the  liveness  proofs. 
Lemma  G  is  a  technical  lemma  relating  to  dining-well-formedness.  Lemma  7  states 
that  Dine(B)  behaves  properly  in  the  composition,  which  means  that  the  appro¬ 
priate  implications  arc  true  (e.g.,  exclusion  and  no-dcadlock  for  dining,  if  Dinc(B) 
solves  the  no-deadlock  dining  philosophers  problem).  Lemma  S  states  that  if  all 
bottles  are  eventually  released,  then  all  forks  arc  eventually  released.  The  heart 
of  Lemma  S  is  showing  that  once  a  process  in  its  drinking  trying  region  enters  its 
dining  critical  region,  it  subsequently  enter’s  its  drinking  critical  region  and  releases 
its  forks.  Showing  this  depends  on  the  dining  exclusion  implication  (Lemma  7). 

Lemma  9  is  the  key  lemma  and  states  that  the  no-deadlock  implication  for 
dining  philosophers  implies  the  no-dcadlock  implication  for  drinking  philosophers 
(if  all  bottles  are  eventually  released),  and  similarly  for  no-lockout.  Lemma  9  is 
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proved  m  follows.  Since  nil  bottles  are  released,  Lemma  8  implies  that  all  forks 
are  released.  Then  Lemma  7  implies  that  (ND-F)  (or  NL-F  as  appropriate)  is  true, 
which  in  turn  implies  that  eventually  the  dining  critical  region  is  entered  and  the 
drinking  critical  region  is  entered.  Theorems  10  and  11  put  the  pieces  together. 

Lemma  5:  Let  e  be  an  execution  of  DrinliB)  whose  schedule  is  drinking-well- 
formed.  Then  in  every  state  of  e,  the  following  are  true,  for  nil  i. 

(A)  If  do-T(i)  is  true,  then  dine-region[i)  -  It. 

(B)  If  do-E(i)  is  true,  then  dinc-rcgian(i)  =  C. 

Proof:  In  Appendix  B.  □ 

Lemma  6:  Let  e  be  an  execution  of  Drinl{B)  whose  schedule  or  is  drinking-well- 
formed.  If  Dinc(B)  preserves  dining-well-formedness,  then 

(a)  a  is  dining-well-formed ,  and 

(b)  for  any  i,  if  ft| B-TCER;  is  finite,  then  o| F-TCBIti  is  finite. 

Proof:  (a)  We  show  or  is  dining-well-formcd  by  induction  on  the  length  of  its 
prefixes.  The  empty  prefix  is  obviously  dining-well-formed.  Let  0u  be  a  prefix  of  cr 
such  that  0  is  dining-well-formed.  Let  e  be  any  execution  of  Drtnk(B)  with  schedule 
0u\  let  i  be  the  state  of  c  between  0  and  a. 

Case  1:  a  =  T;  for  some  i.  By  precondition  of  T;,  do-T(i)  is  true  in  $.  By 
Lemma  5  (A),  dine-region(i)  =  R  in  $.  By  Lemma  1(c),  0\F-TCER,  either  ends  in 
R,  or  is  empty. 

Case  2:  a  —  C\  for  some  t.  Since  Dine[B)  preserves  dining-well-formedness, 
0\ F-TCERi  ends  in  Th 

Case  3:  a  =  Ei  for  some  i.  By  precondition  of  E,,  do-E(i )  is  true  in  s.  By 
Lemma  5  (B),  dine-region(i )  =  C  in  s.  By  Lemma  1(c),  0\F-TCERj  ends  in  C',. 

Case  a  =  J?,-  for  some  i.  Since  Dinc(B)  preserves  dining-well-formedness, 
0\ F-TCERj  ends  in  Ei. 

(b)  Assume  in  contradiction  that  for  some  i,  a\B-TCERi  is  finite  but  o|F- 
TCERt  is  infinite. 
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Case  1:  <x\B-TCERi  ends  with  T,(i?)  for  some  B.  By  Lemma  1,  drink- 
region(i)  —  T  for  the  remainder  of  e.  By  dining-well-formedness,  some  C;  action 
occurs  in  c  after  the  final  Ti(B).  By  dining-well-formedness  and  Lemmas  1  and  5 
(B),  do-E(i)  is  false  when  this  C;  occurs.  By  the  code,  do-E(i)  never  becomes  true 
after  this  point,  since  drink-rcgian(i)  =  T  when  the  C,  occurs  and  no  C,(Z?)  ac¬ 
tion  occurs  subsequently.  Thus*  there  is  no  subsequent  E,  action  in  e,  contradicting 
cliniii  g- well*  formed  ness . 

Cast  2:  oc\B-TCER{  ends  with  C({B ),  E([B)  or  R/(B)  for  some  B.  By 
Lemma  1,  drink-rcgion(i)  is  never  equal  to  T  in  the  remainder  of  e.  By  dining- 
well-formedness,  some  i?<  action  occurs  in  r  after  the  final  action  in  B-TCERi.  By 
dining-well-formedness  and  Lemmas  1  and  o  (A),  do-T(i)  is  false  when  this  i?,-  oc¬ 
curs.  By  the  code,  da-T[i)  never  become*  true  after  this  point,  since  drink-rcgian(i ) 
is  not  T  when  the  Rt  o  iurs  and  no  T,{B)  action  occurs  subsequently.  Thus  there 
is  no  subsequent  T-,  action  in  c,  contradicting  dining-well-formedness.  □ 

Lemma  7  shows  that  Dint(B )  behaves  properly  in  the  composition. 

Lemma  7:  Let  e  be  a  fair  execution  of  DrinkfB)  whose  schedule  a  is  drinking-well- 
formed. 

(a.)  Suppose  Dinc(B)  solves  the  during  philosopher  problem.  Then  a  satisfies  (EX- 

n 

(b)  Suppose  Dine(B)  solves  the  no-deadlock  dining  philosophers  problem.  If  o 
satisfies  ( REL-F ),  then  a  satisfies  (EX-F)  and  (ND-F). 

(c)  Suppose  Dine(B)  solves  the  no-lockout  dining  philosophers  problem.  If  <x  satisfies 
(REL-F),  then  <*  satisfies  (EX-F)  and  (NL-F). 

Proof:  In  all  three  cases,  Lemma  6(a)  implies  that  o-  is  dining-well-formcd.  Let 
e'  =  c|Dme(£)  and  o'  =  sched(e').  Thus  o'  is  also  dining-well-formcd,  and  if  a 
satisfies  (REL-F),  then  so  docs  o'.  By  a  result  in  [LT],  c'  is  a  fair  execution  of 
Dine(B).  Thus  a1  satisfies  (EX-F)  and  either  (ND-F)  or  (NL-F)  (as  appropriate), 
and  so  docs  oc.  □ 

Next  we  show  that  if  all  bottles  are  eventually  released,  then  all  forks  arc 
eventually  released. 

Lemma  8:  Let  e  be  a  fair  execution  of  Drink(B )  whose  schedule  a  is  drinking-well- 
formed  and  satisfies  (REL-B).  If  Dinc(B)  solves  the  dining  philosophers  problem 
for  B,  then  a  satisfies  (REL-F). 
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Proof;  Wc  must  show  tlmt  for  all i,  it\F-TCERi  do<*  not  end  in  C,.  Lemma  C(n) 
implies  that  a  is  dining-well-formcd.  By  Lemma  7(a),  ft  satisfies  (EX-F).  Suppose 
in  contradiction  that  for  some  i,  c  =  cjC.fj.  where  no  action  from  F-TCER(  occurs 
in  ej.  By  Lenuna  1(c),  dine-Tcgion[i)  =  C  throughout  ca.  Let  l>c  the  last  state  of 

«!• 

Case  1:  drink-regian^i)  —  C,  E  or  R  in  s.  By  the  code,  do-E(i)  =  true 
throughout  e2.  Thus  C;(£)  and  R;(B)  are  disabled  for  all  D  throughout  ea  and 
hence  never  occur  in  c2.  By  assumption,  T,  and  E,-  never  occur  in  t%.  Yet  E;  is 
enabled  throughout  ca,  contradicting  e  being  fair. 

Case  2;  drink-region(i)  =  T  in  s.  Let  Teq-bottles(i)  -  B  in  s.  If  do-E(i)  ever 
becomes  true  in  ca,  then  the  same  argument  as  in  Case  1  gives  a  contradiction. 
Thus  do-E(i)  never  becomes  true  in  e-j.  By  the  code,  then,  Cj(B')  never  occurs  in 
e2  for  any  B\  and  by  Lemma  1(a)  and  (b)  and  drinking-well-formedness,  no  E,(B') 
occurs,  drink-regian(i)  =  T,  and  rcq-bottlcs[i)  =2  B  throughout  ca. 

At  the  beginning  of  c2,  D(i)  sends  dcm(ft)  for  all  6  in  B  that  it  is  still  missing. 
Wc  now  show  that  eventually  every  missing  bottle  will  be  in  boitlr.s(i).  By  fairness 
of  e,  each  dem(b)  is  eventually  received.  Consider  recipient  D(j). 

Case  2.1:  b  #  botUcs(j)  when  dem(b)  is  received  by  D(j).  Throughout  c2, 
D(i)  never  adds  sat(b)  to  hujfcij),  since  requests  and  demands  arc  deferred  and 
no  E,(E')  occurs.  Since  the  queues  arc  FIFO,  Lemma  3  (A)  implies  that  the  only 
possibilities  when  dem(b)  is  received  are  that  b  is  in  bottles(i)  or  sai(b)  is  in  bvfl[j,i). 

Case  2.2:  b  €  baiiles(j)  when  dcm(b)  is  received  by  D(j).  By  the  code,  there 
are  only  two  situations  in  which  sat[b)  is  not  immediately  added  to  bu^[jyi). 

Case  2.2.1:  drink-region[j )  =  C  and  ft  €  rcq-boUles(j)  when  dcm(b)  is  received 
by  D[j).  By  (REL-B),  eventually  some  Ej(B')  occurs  subsequently  in  C2  and  thus 
by  the  code  sat(b)  is  added  to  bufflj,  i)  then. 

Case  2.2.2:  drink-region(j)  =  T  and  dinc.-rcgion[j)  =  C  and  ft  €  rcq-botilcs(j) 
when  dem(ft)  is  received  by  D{j).  Since  n- satisfies  (EX-F).  dinc-rcgion(j)  can  never 
be  C  in  C2  by  dining-well-formedness  and  Lemma  1(c),  and  this  case  ennnot  occur. 

In  both  Cases  2.1  and  2.2,  by  fairness  of  e,  the  sat(b)  message  eventually  arrives 
at  j D(i)  in  e2. 

Since  e2  contains  no  C,{B)  action,  by  drinking-well-formedness  no  Ri(B')  or 
Ci(B')  occurs  in  62  for  any  B‘.  Yet  once  any  bottle  in  B  is  in  bottles{i)  in  C2,  it 
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stay*  there  for  the  rest  of  ej.  Thus  after  some  point  in  tj,  C,(B)  is  continuously 
enabled,  yet  no  action  in  that  class  of  the  partition  occurs,  contradicting  t  being 
fur.  □ 

The  next  lemma  states  that  no-deadlock  for  forks  implies  no-deadlock  for  bot¬ 
tles,  and  similarly  for  no-lockout. 

Lemma  0:  Lei  c  be  a  fair  execution  of  Drink(B)  whose  schedule  o  is  drinking- well- 
formed  and  satisfies  (REL-B).  If  Dinc(B)  solves  the  no-dcadlock  (resp.,  no-lockout) 
dining  philosophers  problem ,  then  a  satisfies  (ND-B)  (ivsp.,  (NL-B)). 

Proof:  By  Lemma  6(a),  or  is  dining-well-formcd.  If  Dinc(B)  solves  either  the  no¬ 
deadlock  or  the  no-lockout  dining  philosophers  problem,  tlien  Dine(B)  obviously 
solves  the  dining  philosophers  problem,  and  by  Lemma  8,  o  satisfies  (REL-F). 

Suppose  in  contradiction  that  a  does  not.  satisfy  (ND-B)  (resp.,  (NL-B)),  i.c., 
there  exists  an  i  such  that  ct\B-TCER  (resp..  o\B-TCERi)  is  finite  and  o\B-TCER< 
ends  in  E',(B)  or  T<(B)  for  some  B.  (Ending  in  C,(B)  is  ntled  out  by  (REL-B).) 

We  now  show  that  ot\F-TCERi  ends  in  /?,. 

No-deadlock:  Since  ot\B-TCER  is  finite,  <t| F-TCER  is  also  finite  by  Lemma 
6(b).  By  Lemma  7(b),  or  satisfies  (ND  F),  implying  that  or  |  F-TCER, •  ends  in  /?,. 

No-lockout:  Since  or|B- TCER-,  is  finite.  o| F-TCER',  is  also  finite  by  Lemma 
6(b).  By  Lemma  7(c),  or  satisfies  (NL-F),  implying  that  or|F-TCER;  ends  in 

We  now  show  that  both  possibilities  for  the  final  action  in  <x\B-TCERi  lead  to 
a  contradiction. 

Case  1:  ojB-  TCER-,  ends  in  T,(J5)  for  some  B.  By  Lemma  1(a),  drink- 
Ttgionfi)  =  T  for  the  rest  of  c.  Since  iv\F-TCER,  ends  in  R,-,  dine-region(i)  =  R 
for  the  rest  of  e  by  Lemma  1.  If  the  final  /?,  occurs  before  the  final  T;(B),  then 
do-T(i)  is  set  to  true  when  the  T,(B)  occurs.  If  the  final  Rt  occurs  after  the  final 
Ti(B),  then  do-T(i)  is  set  to  true  when  the  J?/  occurs.  In  both  cases,  after  some 
point,  do-T(i )  is  true  for  the  rest  of  c.  Thus  after  some  point  in  e,  T;  is  continuously 
enabled,  yet  no  action  from  that  class  of  the  partition  occurs,  contradicting  e  being 
fair. 


Case  2:  a\B-TCER;  ends  in  E{[B)  for  some  B.  After  this  point,  drink-region(i) 
remains  E  and  rcq-bottles(i )  remains  2?,  by  Lemma  1.  Since  o\F-TCER;  ends  in 
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Ri,  after  sonic  point  in  e  dine*rtgion(i)  remain*  R  by  Lemma  1.  Thu*  by  Lemma  5 
(B),  da-ffi)  remains  false.  So  after  some  point  in  e,  R,(D)  is  continuously  enabled, 
yet  no  action  in  that  class  of  the  partition  occurs,  contradicting  c  being  fair.  O 

The  main  theorems  follow. 

Theorem  10:  If  Dine(8)  solves  the  no-dcudhzk  dining  philosophers  problem  for 
Bt  then  Drink(B)  solves  the  no-deadlock  drinking  philosophers  problem  for  B. 

Proof:  DrinliB)  has  the  correct  input  and  output  actions  bv  inspection  and  pre¬ 
serves  drinking-well-formedness  by  Lemma  2. 

Let  e  be  a  fair  execution  of  DrinliB).  We  verify  the  exclusion  and  no-deadlock 
implications.  The  exclusion  implication  is  true  by  the  same  argument  as  in  the 
proof  of  Theorem  4.  The  no-dcadlock  implication  is  true  by  Lemma  9.  O 

Theorem  11:  If  Dinc(B)  solves  the  no- lockout  dining  philosophers  problem  for  B, 
that  Drink(B)  solves  the  no-lockout  drinking  philosophers  problem  for  8. 

Proof:  Analogous  to  the  proof  of  Theorem  10.  □ 

4.3  Concurrent  Drinking 

In  this  subsection  we  show  that  DrinliB)  solves  the  more-concurrent  drinking 
philosophers  problem,  regardless  of  the  behavior  of  Dine(B )  (as  long  as  it  preserves 
dining-well-formedness).  In  essence,  the  condition  (NOV-B)/  is  so  strong  that  the 
dining  subroutine  is  not  needed  to  arbitrate  disputes.  Lemma  12  proves  several 
invariants  about  dem{b)  messages  and  is  used  in  the  proof  of  the  next  lemma  (as 
well  as  in  the  complexity  analysis).  Lemma  13  is  the  main  one,  stating  that  the 
no-overlap  condition  implies  the  never-stuck  condition.  Theorem  14  puts  the  pieces 
together. 

A  dcm(b)  message  in  buffij)  is  current  if  one  of  the  following  is  true:  a 
sat{b)  message  precedes  it  in  buffij),  or  b  is  in  bottlcsj),  or  a  sat(b)  message  is  in 
buffi,  i). 

Lemma  12:  Suppose  Dinc[B)  preserves dining-well-formedness.  Let  e  bean  execu¬ 
tion  of  DrinliB )  whose  schedule  is  drinking-wcll-formed.  The  following  predicates 
are  t rue  in  every  state  of  e,  for  any  i,  j  and  b. 

(A)  If  there  is  a  current  dcm[b)  message  in  buffij),  then 
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(a)  dnnk-region(i)  =  T, 

(b)  dinc-regien(i)  =  C, 

(c)  &  is  in  req-boitles[i),  and 

(d)  do-E(i)  is  false. 

(B)  There  is  at  most  one  current  dcm(b)  message  in  bujftij). 

(C)  There  is  at  most  one  non-current  dcm[b)  message  in  buff{ij). 

Proof:  In  Appendix  D.  0 

Lemma  13:  Let  e  be  a  fair  execution  of  Drink(B)  whose  schedule  o  is  drinking- 
weil-fonned  and  satisfies  (NOV-B);,  for  some  fixed  i.  If  Dine(B)  preserves  dining - 
well-formedness,  then  or  satisfies  (NS-B);. 

Proof:  Recall  that  (NOV-B),  states  that  for  all  j  and  any  B  and  B'  with  BOB'  qk  0, 
the  following  two  conditions  hold:  (1)  if  <t  =  $\Ti(B)(3iTj{B)fi},  then  &  contains 
C,(J5);  and  (2)  if  a  =  then  &  contains  Ej(B'). 

Suppose  in  contradiction  to  (NS-B),-  that  o\B-TCERi  ends  in  Ij(B)  or  E',(B) 
for  some  B. 

Cost  1:  o\B-TCERi  ends  in  T,(B).  By  (NOV-B),-,  drinking-well-formedness 
and  Lemma  1(a),  for  all  j  qk  {,  drink-rcgum{j )  =  E  or  R  for  the  rest  of  c  after  the 
final  Ti[B).  When  the  final  T-,{B)  occurs,  n  request  message  for  each  bottle  b  in  B 
that  is  not  in  bottlcs(i)  is  placed  in  the  appropriate  bujfcij).  Since  e  is  fair,  it  is 
eventually  delivered.  By  Lemma  3(c),  b  is  in  bottle»{j)  when  the  request  is  received 
and  by  the  code  D(j)  immediately  satisfies  the  request.  Since  t  is  fair,  the  satisfy 
message  is  eventually  delivered  to  D{i). 

We  now  show  that  once  6  is  in  boUlcs{i )  after  the  final  T,(B),  it  remains  there. 
Since  drink-rcgion(j ),  j  qk  j,  is  never  equal  to  T  after  the  final  T;(B),  Lemma  3  (D-d) 
implies  that  D(i)  never  receives  rcq(b)  after  the  final  T;(J3).  Similarly,  Lemma  11 
(A-a)  implies  that  D(i)  never  receives  a  dcm(b)  message  for  b  in  bottlcs(i )  after  the 
final  T,(B).  Thus  there  is  a  point  in  c  after  which  every  bottle  in  B  is  in  boitles(i) 
and  remains  there. 

By  Lemma  6(b),  <x\F-TCERi  is  finite.  Consider  the  point  in  e  after  the  latter 
of  (1)  the  last  action  in  F-TCERi  and  (2)  the  point  after  the  final  T;(2?)  when  B  C 
bottles(i).  If  io-E(i)  is  true  at  this  point,  then  E{  is  continuously  enabled  for  the 
rest  of  e,  yet  no  action  in  that  class  of  the  partition  occurs,  contradicting  e  being 
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tour.  If  do-E(i)  is  false  nt  this  point,  then  C,(D)  is  continuously  enabled  for  the  rest 
of  e,  yet  no  action  in  that  class  of  the  partition  occurs,  contradicting  e  being  fair. 

Cast  t:  a\B-TCERi  ends  in  £,(!?).  By  Lemma  6(b),  oc\F-TCERi  is  finite. 
After  the  latter  of  the  final  action  in  F-TCER,  and  the  finr.l  2?,(JJ),  da-E(i)  is 
either  true  or  false.  If  da-E(i)  is  true  at  this  point,  then  £,  is  continuously  enabled 
for  the  rest  of  c,  yet  no  action  in  that  class  of  the  partition  occurs,  contradicting 
e  being  fair.  If  do-E(i )  is  false  at  this  point,  then  (?,(£)  is  continuously  enabled 
for  the  rest  of  e,  yet  no  action  in  that  class  of  the  partition  occurs,  contradicting  c 
being  fair.  □ 

Theorem  14:  If  Dmr.(B)  preserves  dining-well-formedness,  then  Drink(B)  solves 
the  more-concurrent  drinking  philosophers  problem  for  B. 

Proof:  Drink(B )  has  the  correct  input  and  output  actions  by  inspection  and  pre¬ 
serves  drinking-well-formedness  by  Lemma  2. 

Let  e  be  a  fair  execution  of  Drink{B)  with  schedule  o.  We  verify  the  exclusion, 
and  more-concurrent  for  i  (1  <  i  <  n)  implications.  The  exclusion  implication  is 
true  by  the  same  argument  as  in  the  proof  of  Theorem  4.  The  more-concurrent  for 
i  implications,  1  <  i  <  n,  are  true  by  Lemma  13.  (Lemma  13  is  applicable  because 
Lemma  6(a)  implies  that  o  is  dining- well-formed.)  0 

5.  Complexity  Analysis 

In  this  section,  we  analyze  the  worst-rn.se  waiting  time  of  our  algorithm  as  well 
as  evaluating  it  using  the  criteria  listed  in  (CM).  The  analysis  of  the  worst-case 
waiting  time  shows  that  the  limiting  factor  is  the  no-lockout  dining  philosophers 
subroutine.  By  replacing  the  0(n )  time  subroutine  of  (CM)  with  an  0(1)  time 
subroutine  (for  instance,  that  of  [Ly]),  we  obtain  an  0(1)  time  drinking  philosophers 
algorithm. 

We  would  like  to  bound  how  long  a  user  must  wait  after  requesting  to  enter 
its  critical  region  until  it  does  so.  The  following  definitions  provide  a  measure  of 
time  complexity  for  our  model  that  is  analogous  to  that  in  (PFj,  in  which  an  upper 
bound  on  process  step  time,  but  no  lower  bound,  is  assumed.  (Thus,  all  interleavings 
of  system  events  are  still  possible.)  Our  timing  definitions  provide  distinct  upper 
bounds  on  process  step  time  and  on  message*  delivery  time. 

Given  an  execution  e  of  automaton  A,  where  r  -  . . .,  a  timing  function 

for  e  is  an  increasing  function  tc  mapping  positive  integers  to  nonnegative  real 
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numbers  such  that  for  ench  reel  number  t,  only  a  finite  number  of  integers  i  satisfy 
tt(i)  <  t.  Intuitively,  <«(/)  is  the  real  time  at  which  occurs;  we  rule  out  an  infinite 
number  of  actions  occurring  before  a  finite  real  time. 

Let  /  be  a  function  mapping  each  class  of  the  partition  part(A)  to  a  positive 
real  number.  Execution  e  is  /-bounded,  if  the  following  condition  is  true  for  each 
class  C  of  the  partition  p<trt(A).  For  each  i  >  0,  either 

(1)  there  exists  j  >  i  such  that  <tj  is  in  C  and  tt[j)  —  tt(i)  <  /(C),  or 

(2)  there  exists  j  >  i  such  that  no  action  of  C  is  enabled  in  Sj  and  tc(j)  -  <*(t)  < 
/(C). 

That  is,  starting  at  any  point  in  the  execution,  within  time  f(C)  cither  some  output 
action  in  C  occurs,  or  else  the  automaton  passes  through  a  state  in  which  no  output 
action  in  C  is  enabled.  Ench  class  of  the  partition  is  considered  separately,  since 
each  class  corresponds,  in  some  sense,  to  a  distinct  entity  in  a  larger  system. 

Now  we  analyze  the  worst-case  time  behavior  of  the  no-lockout  drinking 
philosophers  algorithm,  automaton  Drink(B),  which  uses  any  no-lockout  dining 
philosophers  subroutine  Dinc(B)  for  B.  Let  /  map  each  class  {C;(2?),  72,(2?),  T;,  23; : 
B  C  2?;}  to  some  positive  real  c  and  each  class  {d.eliver(intij) :  m—  * cq(b)tdcm(h ) 
or  s<it(b))  to  some  positive  real  <i  Tims,  c  is  the  upper  bound  on  process  step  time 
and  d  is  the  upper  bound  on  the  message  delay.  Let  £  be  the  set  of  all  fair  /-bounded 
executions  of  Drink(B )  whoso  schedules  are  drinking-wcll-formcd  and  satisfy  (REL- 
B). 

Let  try  Drink  be  the  maximum  time,  over  all  i  and  all  D  C  2?; ,  between  any 
T,(2?)  action  and  the  subsequent  C'i(B)  action,  in  any  execution  in  £.  Let  critorink 
be  the  maximum  time,  over  all  i  and  all  D  C  2?;,  between  any  C',(D)  action  and  the 
subsequent  E\(D)  action,  in  any  execution  in  £. 

Let  irypine  be  the  maximum  time  over  all  /  between  any  Ti  action  and  the 
subsequent  C;  action,  in  any  execution  in  £.  Let  critp;,^  be  the  maximum  time 
over  all  i  between  any  C;  action  and  the  subsequent  23;  action,  in  any  execution 
in  £.  Let  exUpinc  be  the  maximum  time  over  all  i  between  any  23;  action  and  the 
subsequent  2?;  action,  in  any  execution  in  £. 

Wc  assume  that  critprink  and  cxUp;nr  arc  constants. 

Theorem  16  gives  an  upper  bound  on  try/;r;„ the  maximum  time  a  user 
process  must  wait  after  requesting  to  enter  its  critical  region  until  it  is  allowed  to 
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do  so.  It  is  proved  using  Lemma  15,  which  bounds  the  number  of  messages  in  any 
buffi  J).  The  proof  of  Lemma  15  in  turn  uses  Lemma  12. 

First  we  show  that  there  is  a  bounded  number  of  messages  in  any  buff.  Let  r 
be  the  maximum  number  of  bottles  shared  by  any  two  drinkers. 

Lemma  15:  Suppose  Dinc(B)  preserves  dining-well-formedness.  Let  c  be  any 
execution  of  Drink(B)  whose  schedule  is  drinking-well-formcd.  Then  in  any  state 
of  e,  there  are  at  most  4 r  messages  in  buffi,  j)  for  any  i  and  j. 

Proof:  Choose  any  *  and  j ,  i  ^  j.  Let.  s  l>e  any  state  in  e.  By  Lemma  1(d), 
buffi,  j)\b  is  empty  unless  b  is  in  B-,  0  Bj.  There  arc  at  most  r  bottles  in  Bj  n  Bj. 
Choose  any  such  b.  By  (D-a)  of  Lemma  3,  there  is  at  most  one  rcq(b)  message 
in  buffi,  j)  in  s.  By  (E-a)  of  Lemma  3,  there  is  at  most  one  sut(b)  message  in 
buffi,  j)  in  $.  By  (B)  of  Lemma  12,  there  is  at  most  one  current  dcm(b)  message 
in  buffi,  j)  in  s.  By  (C)  of  Lemma  12,  there  is  at  most  one  non-current  dem(b) 
message  in  buffi,  j)  in  s.  Thus  there  are  at  most  four  messages  in  buffi,  j)\b.  The 
result  follows.  0 

The  main  theorem  follows. 

Theorem  16:  tryprink  <  Bc  +  Brd  +  exitpillt  +  iryDint  +  critpr!nk- 

Proof:  Choose  e  in  S  and  fix  Suppose  Tt{B)  occurs  at  time  t,  for  some  B.  In 
the  worst  case,  dine-regionfi)  =  C  at  time  t.  By  time  c  later,  E-,  occurs,  by  time 
cxitpint  later,  J2;  occurs,  by  time  c  later,  T-,  occurs,  and  by  time  try later,  T, 
occurs. 

When  this  T,-  occurs,  D(i)  sends  a  dan(b)  message  for  all  required  and  missing 
bottles.  By  Lemma  15,  the  demand  is  received  by  time  4 vd  later.  As  in  the  proof 
of  Lemma  8  (Case  2.2.2),  cither  the  recipient  immediately  sends  $at[b)  to  D(i)  or 
else  the  recipient  is  in  its  drinking  critical  region  and  sends  $at(b)  by  time  critprink 
later.  By  Lemma  15,  the  sat{b)  is  received  by  time  4 vd  later.  By  time  c  later,  C,(J3) 
occurs.  □ 

Since  we  assume  that  critpr;„k,  ex Upnie.  r,  d  and  c  are  constants,  the  worst- 
case  waiting  time  of  this  solution  depends  on  try pjne,  the  worst-case  waiting  time  of 
the  dining  philosophers  subroutine.  For  any  dining  philosophers  algorithm,  tryp;ne 
depends  on  critpi„t.  We  now  give  an  informal  argument  for  an  upper  bound  on 
cni£>,*Me.  Once  C;  occurs,  E;  will  not  occur  until  after  D[i)  has  sent  demands  for 
needed  bottles,  these  demands  have  been  satisfied,  and  D(i)  has  entered  its  drinking 


critical  region.  The  upper  bound  then  is  2c +  S >•</+  c ritormk*  Thus  critQint  is  also 
a  constant,  under  our  assumptions. 

The  dining  philosophers  subroutine  used  by  Clumdy  and  Misra  (19S4)  has 
tryoint  of  0(ii).  By  replacing  it  with,  for  instance,  the  dining  philosophers  algo¬ 
rithm  of  Lynch  (19S1),  which  has  worst-case  waiting  time  of  0(1),  we  obtain  a  more 
efficient  drinking  philosophers  algorithm.  The  algorithm  of  Lynch  (19S1)  has  time 
0(1)  in  the  sense  that  the  worst-case  waiting  time  is  a  function  of  local  information, 
including  the  maximum  number  of  users  for  each  resource,  and  the  maximum  num¬ 
ber  of  resources  for  each  user,  and  is  not  necessarily  a  function  of  the  total  number 
of  users. 

Our  drinking  philosophers  algorithm  could  be  modified  to  replace  r  with  a 
small  constant,  if  the  request,  demand,  and  satisfy  messages  took  a  set  of  bottles 
as  arguments  instead  of  a  single  bottle. 

Five  criteria  for  evaluating  resource  allocation  algorithms  arc  given  by  Chandy 
and  Misra  (1984)  —  fairness,  symmetry,  economy,  concurrency  and  boundedness. 
We  discuss  each  in  turn. 

Fairness  corresponds  to  our  definition  of  no-lockout.  Our  drinking  philosophers 
solution  has  the  no-lockout  property  us  long  us  the  dining  philosophers  subroutine 
has  it. 

Symmetry  means  that  each  process  runs  the  identical  program.  This  property 
is  true  of  our  solution,  as  long  as  it  is  true  of  the  subroutine. 

Economy  means  that  processes  send  and  receive  a  finite  number  of  messages 
between  subsequent  entries  to  their  critical  regions,  and  a  process  that  enters  its 
critical  region  a  finite  number  of  times  does  not  send  or  receive  an  infinite  number 
of  messages.  Our  solution  has  this  property:  Recall  that  when  T,(Z?)  occurs,  D(i) 
sends  rcq(b)  messages  .  -  all  missing  resource.  It  defers  any  rcq(b)  messages  it 
receives  when  drink-region(i)  =  T,  but  yields  to  dc.m(b)  messages.  When  dine- 
rcgion(i)  becomes  C\  it  sends  dcm(b)  messages  for  any  missing  resources.  Thus  at 
most  four  messages  (req(b)t  sat(b ),  dem[b) ,  $at(b))  arc  sent  on  behalf  of  any  bottle 
for  any  one  trying  attempt.  Furthermore,  once  a  drinker  stops  wanting  to  enter  its 
critical  region,  it  may  receive  a  request  for  each  of  its  bottles,  but  after  satisfying 
the  requests,  it  never  sends  or  receives  any  more  messages. 

Concurrency  means  that  “the  solution  does  not  deny  the  possibility  of  simul¬ 
taneous  drinking  from  different  bottles  by  different  philosophers.”  This  is  certainly 
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true  of  our  algorithm,  since  it  satisfies  the  morc-concurrcnt  condition.  More  precise 
formulations  of  “concurrency”  were  given  in  our  definitions  (see  Sections  3  and  6). 

Boundedness  means  that  the  number  of  messages  in  any  bujfcij)  variable  is 
bounded,  and  the  size  of  each  message  is  bounded.  This  is  certainly  true  of  our 
solution,  by  Lemma  15. 

6.  Conclusions 

We  have  given  precise  definitions  of  several  versions  of  the  dining  philosophers 
and  drinking  philosophers  problems,  each  version  satisfying  different  liveness  and 
concurrency  conditions.  We  described  a  modular  drinking  philosophers  algorithm 
that  used  as  a  true  subroutine  any  dining  philosophers  algorithm.  We  proved  the 
correctness  of  our  algorithm,  and  analyzed  its  time  complexity.  One  advantage  of 
our  modular  approach  is  that  an  algorithm  with  improved  worst-case  time  perfor¬ 
mance  can  be  obtained  by  using  a  time-efficient  dining  philosophers  subroutine.  We 
close  with  a  discussion  of  other  versions  of  the  drinking  philosophers  problem. 

The  version  of  the  drinking  philosophers  problem  si>ccifying  the  most  concur¬ 
rency  would  require  that  if  a  drinker  requests  a  set  D  of  bottles,  it  should  eventually 
enter  its  critical  region,  ns  long  ns  no  other  drinker  uses  any  of  the  bottles  in  B 
forever.  (Some  bottles  in  B  could  l>c  kept  forever  after  this  request  is  satisfied.) 
Unfortunately,  neither  the  algorithm  in  this  paper  nor  that  of  Chnndy  and  Misra 
(19S4)  satisfies  this  conditions.  An  interesting  problem  would  be  to  devise  one  that 
docs. 

The  following  situation  shows  that  our  algorithm  docs  not  solve  the  “most 
concurrent”  drinking  philosophers  problem.  (Essentially  the  same  scenario  shows 
that  the  algorithm  of  Chnndy  and  Misra  (19S4)  also  docs  not.)  Suppose  there  are 
three  drinkers.  1,  2  and  3;  1  and  2  share  bottle  a,  2  and  3  share  bottle  6.  First, 

1  gets  bottle  a,  enters  its  drinking  critical  region,  and  stays  there  forever.  Then  2 
requests  a  and  5,  obtains  ft,  and  enters  its  dining  critical  region.  Since  2  can  never 
obtain  a,  it  stays  in  its  dining  critical  region  forever.  Finally,  3  requests  ft.  Drinker 

2  docs  not  relinquish  b  upon  a  mere  request,  and  3  can  never  demand  ft,  because 
it  can  never  enter  its  dining  critical  region.  Thus,  even  though  3’s  bottle  request 
includes  no  bottle  that  is  ever  in  use,  it  can  never  enter  its  drinking  critical  region. 

There  is  a  version  of  the  drinking  philosophers  problem  specifying  a  degree  of 
concurrency  intermediate  between  strongest  and  more-concurrent,  that  the  algo¬ 
rithm  of  Chandy  and  Misra  (1984)  solves  and  ours  does  not.  The  informal  descrip¬ 
tion  is  that  if  a  drinker  requests  a  set  B  of  tattles,  it  should  eventually  enter  itc 


critical  region,  ns  long  ns  no  other  drinker  uses  nr  wants  any  of  the  bottles  in  D 
forever. 

The  following  sccnnrio  shows  thnt  our  nlgorithm  does  not  solve  this  problem. 
Suppose  there  nre  five  drinkers,  1  through  5.  Drinkers  1  turd  2  shnre  bottle  «,  2 
nnd  3  shnre  6,  3  nnd  4  share  c,  and  3  and  5  shnre  d.  First,  1  gets  a,  enters  its 
drinking  critical  region  and  stays  there  forever.  Then  2  requests  a  and  6,  obtains  6 
and  enters  its  dining  critical  region.  As  in  the  previous  scenario,  2  remains  in  its 
dining  critical  region  forever.  Next,  3  requests  c  and  </.  It  obtains  c  from  4.  Then 
4  requests  c  from  3,  the  request  is  deferred.  4  demands  c  from  3,  and  the  request 
is  satisfied.  Now  3  obtains  d  from  5.  But  3  will  never  get  c  from  4,  because  it  can 
never  demand  it.  Thus,  although  none  of  the  bottles  required  by  3  are  ever  wanted 
forever  by  another  drinker,  3  cannot  enter  its  drinking  critical  region. 

In  contrast,  the  algorithm  of  Clmudy  nnd  Misra  (1QS4)  will  allow  3  to  enter 
its  drinking  critical  region.  The  forks  in  the  dining  philosophers  algorithm  provide 
a  priority  for  the  use  of  the  corresponding  bottles  by  the  drinkers.  The  priority 
alternates  between  the  two  processes  sharing  the  resource.  Thus,  once  3  obtains  c  it 
will  not  relinquish  it  until  it  has  gotten  to  use  it.  In  general,  priority  is  broken  down 
on  a  link-by-link  basis,  whereas  in  our  (more  modular)  algorithm,  the  priority  comes 
only  with  entering  the  dining  critical  region.  In  other  words,  one  can  optimize  to 
gain  extra  concurrency  at  the  expense  of  violating  modularity. 
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Appendix  A 

In  this  Appendix,  we  review  the  aspects  of  the  model  of  Lynch  and  IXitile 
(1987)  that  are  relevant  to  this  paper. 

An  input-output  automaton  A  is  defined  by  the  following  four  components.  (1) 
There  is  a  (possibly  infinite)  set  of  states  with  a  subset  of  start  states.  (2)  There  is 
a  set  of  actions,  associated  with  the  state  transitions.  The  actions  are  divided  into 
three  classes,  input,  output,  and  interna/.  Input  actions  are  presumed  to  originate 
in  the  automaton’s  environment;  consequently  the  automaton  must  be  able  to  react 
to  them  no  matter  what  state  it  is  in.  Output  and  internal  actions  (or,  locally- 
controlled  actions)  are  under  tlie  local  control  of  the  automaton;  intemrd  actions 
model  events  not  observable  by  the  environment.  The  input  and  output  actions  are 
the  external  actions  of  .4,  denoted  cxt(A).  (3)  The  transition  relation  is  a  set  of 
(state,  action,  state)  triples,  such  that  for  any  state  s'  and  input  action  x,  there  is 
a  transition  (s',x,s)  for  some  state  s.  (4)  There  is  an  equivalence  relation  part(A) 
partitioning  the  output  and  internal  actions  of  .4.  The  partition  is  meant  to  reflect 
separate  pieces  of  the  system  being  modeled  by  the  automaton.  Action  x  is  enabled 
in  state  s'  if  there  is  a  transition  ($\x,  s)  for  some  state  s. 

An  execution  t  of  .4  is  a  finite  or  infinite  sequence  Jo*iSi ...  of  alternating 
states  and  actions  such  that  s0  is  a  start  state,  (Sj_i,X{,«f)  is  a  transition  of  A  for 
all  t,  and  if  e  is  finite  then  c  ends  with  a  state.  The  schedule  of  an  execution  e  is 
the  subsequence  of  actions  appearing  in  a. 

We  often  want  to  specify  a  desired  behavior  using  a  set  of  schedules.  Thus 
we  define  an  external  schedule  module  S  to  consist  of  a  set  of  input  actions,  a  set 
of  output  actions,  and  a  set  of  schedules.  Each  schedule  of  S  is  a  finite  or  infinite 
sequence  of  the  actions  of  S.  Internal  actions  are  excluded  in  order  to  focus  on  the 
behavior  visible  to  the  outside  world. 

Let  A  be  an  automaton  or  schedule  module  and  P  be  a  predicate  on  sequences 
of  actions  of  A.  A  preserues  P  if  for  every  schedule  (3a  of  .4  such  that  P  is  true  of 
(3  and  a  is  a  locally-controlled  action  of  .4,  then  P  is  also  true  of  (3a. 
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Automata  can  be  composed  to  form  another  automaton,  presumably  mu'ieHug 
a  system  made  of  smaller  components.  Automata  communicate  by  synchronising  on 
shared  actions;  the  only  allowed  situations  are  for  the  output  from  one  automaton 
to  be  the  input  to  others,  and  for  several  automata  to  share  an  input.  T*»us, 
automata  to  be  composed  must  have  no  output  actions  in  common,  and  the  internal 
actions  of  each  must  be  disjoint  from  all  the  actions  of  the  others.  A  state  of  the 
•:ompo  ;ite  automaton  is  a  tuple  of  states,  one  for  each  component.  A  start  state 
of  he  composition  has  a  start  state  in  each  component  of  the  state.  Any  outp.  • 
action  of  a  component  becomes  an  output  action  of  the  composition,  and  similarly 
for  an  internal  action.  An  input  action  of  the  composition  is  an  action  that  is  input 
for  evo'  V  comp  ment  for  which  it  is  an  action.  In  a  transition  of  the  composition 
on  action  s,  cv*?h  component  of  the  state  changes  as  it  would  in  the  component 
automaton  if  *  occurred;  if  tr  is  not  an  action  of  some  component  automaton, 
then  the  com^pondmg  str*  ••  component,  docs  not  change.  The  partition  of  the 
composition  is  the  union  of  the  ..artitions  of  the  component  automata. 

Given  an  automaton  .4  and  a  subset  II  of  its  actions,  we  define  the  automaton 
Hidtn(A)  to  be  the  automaton  .4'  differing  from  A  only  in  that  each  action  in  II 
becomes  an  internal  action.  This  operation  is  useful  for  hiding  actions  that  model 
interprocess  communication  in  a  composite  automaton,  so  that  they  are  no  longer 
visible  to  the  environment  of  the  composition. 

An  execution  of  &  system  is  fair  if  each  component  is  given  a  chance  to  make 
progress  infinitely  often.  Of  course,  a  process  might  not  be  able  to  take  a  step  every 
time  it  is  given  a  chance.  Formally  stated,  execution  c  of  automaton  A  is  fair  if  for 
each  class  C  of  part(A),  the  following  two  conditions  hold.  (1)  If  c  is  finite,  then  no 
action  of  C  is  enabled  in  the  final  state  of  e.  (2)  If  c  is  infinite,  then  either  actions 
from  C  appear  infinitely  often  in  e,  or  states  in  which  no  action  of  C  is  enabled 
appear  infinitely  often  in  e.  Note  that  any  finite  execution  of  .4  is  a  prefix  of  some 
fair  execution  of  .4. 

The  following  result  from  [LT]  is  very  useful:  If  c  is  a  fair  execution  of  a  compo¬ 
sition  of  automata,  and  .4  is  one  of  the  components,  then  c|.4  is  a  fair  execution  of 
.4.  (If  e  =  So’fi'Si  . . .,  we  define  e|A  to  be  the  sequence  obtained  from  e  by  deleting 

if  7T,  is  not  an  action  of  A ,  and  replacing  the  remaining  $;  with  .4 ’s  component.) 

A  problem,  is  (specified  by)  an  external  schedule  module.  Automaton  A  solves 
the  problem  F  if  .4  and  P  have  the  same  input  and  output  actions,  and  if  {a|c.rt(.4) : 
or  is  the  schedule  of  a  fair  execution  of  .4}  is  a  subset  of  the  set  of  schedules  of  P. 
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In  other  words,  the  behavior  of  A  visible  to  the  outside  world  is  consistent  with  the 
behavior  required  in  the  problem  specification. 

Appendix  B 

This  appendix  contains  tlie  proofs  of  Lemmas  3,  5  and  12,  all  of  which  state 
that  certain  predicates  are  invariants. 

Lemma  3:  Let  t  be  an  execution  of  Drink(B)  whose  schedule  is  drinking-well- 
formed.  Then  in  every  state  of  e,  the  following  are  true,  for  all  i,  j  and  b. 

(A) Jfb  is  in  BiDBj,  i  jk  j,  then  exactly  one  of  the  following  is  true:  b  is  in  bottles(i), 
or  b  is  in  bottlcs(j),  or  sot(b)  is  in  buffiij ),  or  sat(b)  is  in  buffi,  j,i).  If  b  is  in  Bi 
only,  then  b  is  in  boitiet(i). 

(B)  If  (bj)  is  in  deferred(i),  then 

(a)  b  is  in  beitla(i), 

(b)  drink-rcgion(j)  =  T,  and 

(c)  b  is  in  req-bottlc*(j). 

(C)  If  rcq(b)  is  at  the  head  of  buffiij)\b,  then  b  is  in  botites(j). 

(D)  If  rcq(b)  is  in  buffiij),  then 

(a)  at  most  one  req[b)  is  in  buffiij), 

(b)  no  sat(b)  follows  it  in  buffiij), 

(c)  ( b ,  i)  is  not  in  deferred (j), 

(d)  drink-regicn(i)  =  T, 

(e)  b  is  in  req-bottlcs(i),  mid 

(f)  b  is  not  in  boitlcs(i). 

(E)  Ifsat(b)  is  in  buffiij ),  then 

(a)  at  most  one  sat(b)  is  in  buffiij ), 

(b)  no  dcm(b)  immediately  follows  it  in  buffiij)\b, 

(c)  drink-region[j)  =  T,  and 

(d)  b  is  in  req-bottles(j). 

(F)  If  dem(b)  is  at  the  head  of  buffiij )\b  and  b  is  in  boiiles(j),  then  ( b,i )  is  in 
dcfcrrcd(j). 

(G)  If  drink-region(i)  =  T  and  b  is  in  req-bottks{i)  and  b  is  in  Bj,  j  qk  i,  then  exactly 
one  of  the  following  is  true:  req(b )  is  in  buffiij),  or  (b,  i)  is  in  deftrrcdj),  or  sat(b) 
is  in  buffijj),  or  b  is  in  bottles(i). 
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(H)  Ifb  in  in  rcq-botilei(i)  and  drinker  cgion(i)  =  C.  then  b  is  in  bottles(i). 

Proof:  Let  c  s*  We  proceed  by  induction  on  w,  which  indexes 

the  states  of  e. 

(A)  through  (H)  are  obviously  true  of  sa,  since  it  is  a  start  state  of  a  composition 
of  compatible  automata.  Assuming  (A)  through  (H)  are  true  of  s»,-j ,  we  show  they 
are  true  of  We  consider  every  possible  value  of 

Case  1:  am  =  Ti(B). 

Claims  about. im_ j: 

1.  irink-rcgion(i)  a =  J?,  by  drinking- well-formedness  and  Lemma  1(a). 

2.  (6,  i )  is  not  in  deferred(j)%  for  all  b  and  j,  by  Claim  1  and  (D-b). 

3.  sot(6)  is  not  in  hufftjti),  for  all  b  and  jt  by  Claim  1  and  (E-c). 

4.  req(b)  is  not  in  fcujfti.  j),  for  all  b  and  j,  by  Claim  1  and  (D-d). 

5.  If  sat(b)  it  not  in  bufftij)  and  b  is  not  in  hottla(i)}  then  b  is  in  bottlcs(j),  where 
b  is  in  Bj,  j  ^  i,  for  all  b ,  by  Claim  3  and  (A). 

6.  If  buffet  J)  is  empty  and  b  is  not  in  bottle..*(i ),  then  b  is  in  bottles(j)r  where  6  is 
in  Bj ,  j  56  i,  for  all  b,  by  Claim  5. 

Claims  about sm: 

7.  req(b)  is  in  buffi,  j)  iff  6  is  not  in  bottles{i)  and  b  is  in  req-bottles(i)  and  b  is  in 
D  H  Bj,  for  all  b  and  j ,  by  Claim  4  and  code. 

S.  If  req(b)  is  at  the  head  of  buffi,  j)  and  b  is  not  in  bottles(i),  then  h  is  in  bottlcs(j), 
for  all  b  and  j,  by  Claim  6  and  code. 

9.  If  rcq(b)  is  at  the  head  of  buffi,  j),  then  b  is  in  boitles(j ),  for  all  b  and  j,  by 
Claims  7  and  8. 

(A)  No  relevant  change. 

(B)  Only  (B-c)  is  affected,  for  (/»,£).  By  Claim  2  and  code,  no  (b,i)  is  in 
dcfcrrcd(j)  in  s,„,  so  the  predicate  is  vacuously  true. 

(C)  Only  changes  affect  req(b)  in  buffi,  j)\  by  Claim  9. 

(D)  Only  changes  affect  req(b )  in  buffi,  j).  (a)  and  (b)  by  Claim  4  and  code, 
(c)  by  Claim  2  and  code,  (d)  by  code,  (e)  and  (f )  by  Claim  7. 

(E)  Only  (E-d)  is  affected,  for  sat{b)  in  buffi, i).  None  by  Claim  3  and  code, 
so  vacuously  true. 
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(F)  No  relevant  changes. 

(G)  Only  changes  involve  f.  Suppose  /» is  in  rcq-botile*(i)  in  sm.  By  Claims 
2  and  3  and  code,  we  only  need  to  show  that  rcq(b)  is  in  buffi,  j)  iff  b  is  not  in 
bottlcs(i),  whidi  is  true  by  Claim  7. 

(H)  Only  changes  involve  i.  By  code,  dtink-regioffi)  =  T  in  $m,  so  vacuously 

true. 


Case  t:  ttm  = 

C/aims  about  s*,_j : 

1.  drink-rtgion(i)  =  C,  by  drinking-wcll-formcdnes*  and  Lemma  1(a). 

2.  (M)  >*  not  in  ieferrei(j),  for  all  6  and  j,  by  Claim  1  and  (B-b). 

3.  req(b)  is  not  in  buffi  J),  for  all  h  and  j,  by  Claim  1  and  (D-d). 

4.  sat{b)  is  not  in  buffi, i),  for  nil  b  and  j.  by  Claim  1  and  (E-c). 

5.  If  (b,j)  is  in  deferred(i ),  then  b  is  in  bottles^),  for  all  b  and  j,  by  (B-a). 

6.  If  [b,j)  is  in  deferrtdfi ),  then  i  ^  i,  by  Lemma  1(e). 

7.  If  (6,j)  is  in  deferredfi),  then  b  is  not  in  bottles  (j),  sat(b)  is  not  in  buffi.  j),  and 

•*«<(&)  is  not  iu  buffi, i),  for  all  6  and  j,  by  Claims  5  and  6  and  (A). 

S.  If  (b,j)  is  in  dcfcrred(i),  then  rcq[b)  is  not  in  buffi,  i),  for  all  b  and  j,  by  Claim 
(D-c). 

9.  If  {b,  j)  is  in  deferred (t),  then  drink-rcgiou[j)  —  T  and  b  is  in  req-botilct(j),  for 
all  b  and  j,  by  (B-b)  and  (B-c). 

10.  If  (b,j)  is  in  dcfcrrcd(i),  then  vcq[l>)  is  not  in  buffi,  i),  for  all  b  and  j,  by  Claim 
9  and  (G). 

(A)  Only  affects  b  such  that  (//,;')  is  in  deferred(i)  in  sm_,.  By  Claim  7  and 
code. 

(B)  Only  affects  deferred[i )  and  dcfcrrcd(j).  By  Claim  2  and  code,  no  (b,  i) 
is  in  deferred(j),  so  vacuously  true.  By  code,  no  (b,j)  is  in  deferred(i )  in  sB1,  so 
vacuously  true. 

(C)  Only  affects  buffi  J),  where  (bj)  is  in  deferrcd(i)  in  s„,_j.  By  Claim  8 
and  code,  no  req(b)  is  in  buffi, i)  in  sm,  so  vacuously  true. 

(D)  Only  affects  buffi,  j).  By  Claim  3  and  code,  no  rcq{b)  is  in  buffi,  j)  in 
s,„,  so  vacuously  true. 
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(E)  Only  affects  buffiij)  such  that  (b,j)  is  in  dcfcrrtd(i)  in  Sm-i,  and  buffij,  i) 
for  all  j.  By  Claim  4  and  code,  no  .<«<(&)  is  in  buffij%t)  in  so  vacuously  true. 
Suppose  sat(i)  is  added  to  buffiij)  in  Then  (bj)  is  in  dcfcmd(i)  in  sm_j.  (a) 
By  Claim  7  and  code,  (b)  By  code,  (c)  and  (d)  By  Claim  9  and  code. 

(P)  Only  affects  i.  Since  (F)  is  true  in  sMf_,  and  by  code  b  is  removed  from 
battk*(i)  if  and  only  if  b  is  removed  from  dcfcrrcd(i)  in  sm,  still  true. 

(G)  Only  affects  j,  where  (bj)  is  in  dt;ftrrcd(i)  in  sm-i.  By  Claim  10  and 
code,  req(b)  is  not  in  buffijj)  in  sw.  By  Claim  7  and  code,  k  is  not  in  baUkt(j)  in 
sm.  By  code,  (bj)  is  not  in  dcfcrred(i)  and  std(b)  is  in  buffijxi)  in  sm. 

(H)  Only  affects  i.  By  code,  drink-ngitm[i)  s=  E  in  s,„,  so  vacuously  true. 


Cast,  3:  am  =  dclivtr(s<tt{b),jx  i). 

Claims  about  sw_j: 

1.  s  o<(&)  is  at  the  head  of  buffi  j,  i),  by  precondition. 

2.  b  is  in  Di  n  Bjx  by  Claim  1  and  Lemma  1(d). 

3.  6  is  not  in  bottks(t)x  by  Claims  1  and  2  and  (A). 

4.  6  is  not  in  botiks(j)x  by  Claims  1  and  2  and  (A). 

5.  sat(b)  is  not  in  bujf(ixj)x  by  Claims  1  and  2  and  (A). 

6.  At  most  one  sat(b)  is  in  buffij,  t),  by  Claim  1  and  (E-n). 

7.  No  dcm(b)  immediately  follows  s<it[b)  in  buffi jxi) ,  by  Claim  1  and  (E>b). 

S.  drink-rcgion(i)  =  T,  by  Claim  1  and  (E-c). 

9.  b  is  in  rcq-boitks(i)x  by  Claim  1  and  (E-d). 

10.  rcq(b)  is  not  in  buffiitj),  by  Claims  1,  S  and  9  and  (G). 

11.  (6,t)  is  not  in  deftrred(j)x  by  Claims  1.  8  and  9  and  (G). 

12.  b  is  not  in  boitles(i)x  by  Claims  1,  8  and  9  and  (G). 

(A)  Only  affects  6.  By  Claims  4,  5  and  G  and  code. 

(B)  No  relevant  change. 

(C)  Only  affects  buffij ,i)\b.  By  code,  since  b  is  added  to  bottles(i). 

(D)  Only  affects  b.  By  Claim  10  and  code,  no  req(b)  is  in  buffiij ),  so  vacuously 

true. 


(E)  No  relevant  change. 
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(P)  Only  affect*  buffj,i).  Dy  Claim  7  and  cotie,  Hem(b)  i*  not  at  head  of 
buj ff{j, »),  *o  vacuoutly  true. 

(G)  Only  affects  b  and  i.  Dy  Claims  G,  10  and  11  and  code. 

(H)  No  relevant  change. 


Case  4:  =  deliver{rcq(b)J,i). 

Claims  about  sm-\ : 

1.  rcq(b)  it  at  the  head  of  buff], »),  by  precondition. 

2.  b  it  in  D,  n  By,  by  Claim  1  and  Lemma  1(d). 

3.  b  it  in  bottles(i),  by  Glaim  1  and  (C). 

4.  b  it  not  in  bottles(j),  by  Claims  2  and  3  and  (A). 

5.  sot(b)  it  not  in  buffi,  j),  by  Claim*  2  and  3  and  (A). 

6.  sat(b)  it  not  in  buffj,i),  by  Claims  2  and  3  and  (A). 

7.  Exactly  one  rcq(b)  it  in  buffj,  i),  by  Claim  1  and  (D-a). 

8.  irink-rtgion(j)  =  T,  by  Claim  1  and  (D-d). 

9.  b  is  in  req-botUesd),  by  Claim  1  and  (D*e). 

10.  req(b)  is  not  in  buffi  J),  by  Claim  3  and  (D-f). 

(A)  Only  affects  6.  Dy  Claims  4,  5  and  G  and  code. 

(D)  Only  affects  (b,j).  (a)  by  code,  (b)  by  Claim  8.  (c)  by  Claim  9. 

(C)  Only  affects  buffj,  t).  By  Claim  7  and  code,  no  rcq(b )  is  in  buffj,  i),  so 

vacuously  true. 

(D)  Only  affects  buffi,  j)  and  buffj,  t).  By  Claims  7  and  10  and  code,  no 
req(b)  is  in  cither  buff,  so  vacuously  true. 

(E)  Only  affects  buffi, j)  if  mt(b)  is  added,  (a)  by  Claim  5  and  code,  (b)  by 
code,  (c)  by  Claim  8  and  code,  (d)  by  Claim  9  and  code. 

(F)  Only  affects  buffi,  j)\b.  By  code,  h  is  removed  from  bottles(i)  if  and  only  if 
(b,j)  is  removed  from  defcrrcd{i). 

(G)  Only  affects  b  and  j.  By  Claim  7  and  code,  no  rcq(b)  is  in  buffj,i)  in  sm. 
By  Claim  4  and  code,  6  is  not  in  bottles{j)  in  s,n.  By  Claim  5  and  code,  sat(b)  is  in 
buff(i,j)  if  and  only  if  (b,j)  is  not  in  dcferrt:d(i )  in 
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(H)  Only  nffects  b  And  ».  By  ClAim  3  And  code. 


Cast  5:  am  =  ddivei(dcm(b)Jti).  If  b  is  not  in  bottlc$(i)  in  j,  then  no 
relevAnt  changes  are  made.  Assume  b  is  in  bottlcfii)  in  sm-i- 

Claims  about  j: 

1.  b  is  in  boitks(i),  by  assumption. 

2.  dtm(b)  is  at  the  head  of  buffi  j}i)%  by  precondition. 

3.  b  is  in  Bi  D  Bjr  by  Claim  2  and  Lcuunn  1(d). 

4.  b  is  not  in  boitk»(j ),  by  Claims  1  arid  3  nnd  (A). 

5.  4at(b)  is  not  in  bujfiij)%  by  Chums  1  and  3  and  (A). 

C.  sat(b)  is  not  in  buffijj),  by  Claims  1  amt  3  and  (A). 

7.  [b,  j)  is  in  defcrrtd(i) ,  by  Claims  1  and  2  and  (F). 

8.  irink-Ttgion(j )  —  T,  by  Claim  7  and  (B-b). 

9.  b  is  in  rcq-bottlct(j),  by  Claim  7  and  (B-c). 

10.  req(b)  is  not  in  buffij,  i),  by  Claim  7  and  (D-c). 

11.  rcq(b)  is  not  in  buffiij),  by  Claim  1  and  (D-f). 

(A)  Only  affects  b.  By  Claims  4,  5  and  6  and  code. 

(B)  Only  affects  (bj).  By  Claims  1,  8  and  9  and  code. 

(C)  Only  affects  buffi j,i)\b.  By  Claim  10  and  code,  vacuously  true. 

(D)  Only  affects  buffi  j,  i)  and  buffiij).  By  Claims  10  and  11,  vacuously  true. 

(E)  Suppose  sat(b)  is  added  to  buffiij).  (Nothing  else  is  affected.)  (a)  By 
Claim  5  and  code,  (b)  by  code,  (c)  by  Claim  S  and  code,  (d)  by  Claim  9  and  code. 

(F)  Only  affects  bujfiij)\b.  By  code,  if  h  remains  in  boitks(i)t  then  (bj)  is  in 
dtftrrtd{i)  in  sm. 

(G)  Only  affects  j  and  b.  By  Claim  10.  no  vcq(b)  is  in  buffij,i)  in  sm.  By 
Claim  4,  b  is  not  in  bottles(j)  in  sm.  By  code,  (bj)  is  in  dcfcrrcd(i )  if  and  only  if 
sat(b)  is  not  in  buffiij)  in  sm. 

(H)  By  Claim  1  and  code. 
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Case  6:  am  =  C/. 

Claims  about  sm_i ;  If  drink-region{i)  ^  T  in  ,  then  no  relevant  changes  occur. 
Suppose  otherwise.  Only  b  in  rcq-bottlc.s(i)  and  not  in  bottles(i)  is  affected. 

1.  drink-region(i)  =  T,  by  assumption. 

2.  b  is  in  rcq-bottlct(i)  n  13 j,  j  qk  i,  by  assumption. 

3.  ft  is  not  in  bottles(i)%  by  assumption. 

4.  re$(ft)  is  in  bufftij),  or  (6,1)  is  in  dcferrcd(i),  or  saf(ft)  is  in  &«$;,*)>  by  Claims 
1,  2  and  3  and  (G). 

5.  If  sat(b)  is  in  bujfcij),  then  no  sat(b)  is  in  buj][j,i)  and  b  is  not  in  bottles (j),  by 
(A). 

6.  If  sat(b)  is  in  bufftij),  then  (6,1)  is  not  in  deferrtd(j),  by  Claim  5  and  (B-a). 

7.  If  sat(b)  is  in  bujftij),  then  req(b)  is  in  buj0(i,j),  by  Claims  4,  5  and  6. 

S.  If  sat(b)  is  in  bujff(i,j),  then  req(b)  follows  it  in  bujftij),  by  Claim  7  and  (D-b). 

9.  If  bufl(i,j)\b  is  empty  and  b  is  in  bottles[j ),  then  no  snt(b)  is  in  hujftj,  :),  by 
Claim  2  and  (A). 

10.  If  bujj[ij)\b  is  empty  and  b  is  in  baillts{j),  then  (ft,#)  is  in  deferred(j)t  by 
Claims  4  and  9. 

(E-b)  by  Claim  8. 

(F)  by  Claim  10. 

Rest  are  not  affected. 


Case  7:  am  =  C,*(Z? ).  By  Lemma  2,  sched(e)  is  drinking-wcll-formcd;  thus 
in  sched(c)\D-TCERi,  am  is  immediately  preceded  by  T,(J3).  By  Lemma  1(b), 
rcq-bottlcs(i )  =  B  in 


Claims  about  $m_j: 


1.  drink-rcgion(i)  =  T.  by  precondition. 

Ai  t/  4b  la  Fcty-vimico^tj,  uicu  u  ib  ih  iur  wu  a,  by  precondition. 

3.  If  ft  is  in  rcq-botiles(i),  then  ft  is  not  in  boiiles(j)t  where  ft  is  in  Bj,  j  ^  i,  for  all 


6,  by  Claim  2  and  (A). 

4.  If  (ft,  t)  is  in  deferrcd(j),  then  i  ^  j  and  ft  is  in  £,-02?;,  for  all  ft  and  j,  by  Lemma 
1(e). 


5.  (ft,  i)  is  not  in  defcrrcd{j),  for  all  ft  and  j,  by  Claims  3  and  4  and  (B-a)  and  (B-c). 

6.  vcq(h)  is  not.  in  hujfti.  j),  for  all  ft  and  j,  by  Claim  2  and  (D-e)  and  (D-f). 
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7.  If  b  is  in  req-bottles(i)^  then  sat(b)  is  not  in  bujftj, »),  where  6  is  in  Bj,  j  ^  »,  for 
nil  h,  by  Claim  2  and  (A). 

8.  If  b  is  not  in  req-bottlcs(i)}  then  sat(h)  is  not  in  iu/ft;,  i),  where  6  is  in  Djt  j  ^  i, 
for  all  6,  by  (E-d). 

9.  bujftjii)\sat(b)  is  empty  for  all  b  not  in  Bjy  by  Lemma  1(d). 

(B-b)  vacuously  true  by  Claim  5. 

(D-d)  vacuously  true  by  Claim  6. 

(E-c)  vacuously  true  by  Claims  7,  S  and  9. 

The  rest  are  unaffected. 


Case  8:  am  =  Ri(B).  The  only  change  is  that  drink-region(i)  becomes  R  in 
sm.  By  Lemma  2,  sched(e)  is  dr :  nk  ing- well- formed ;  thus  in  sched(e)\B- TGERiy  am 
is  immediately  preceded  by  £,(£?).  By  Lemma  1(a),  driuk‘Tegion(i)  =  E  in  sm-i* 
Tims  (B-b),  (D-d)  and  (E-c)  are  stiii  true  in 


Case  9:  am  =  7?,-,  T,-,  or  £;.  None  of  the  changes  affects  any  of  the  predi¬ 
cates.  □ 

Lemma  5:  Let  a  be  an  execution  of  Drtnk(B)  whose  schedule  is  drinking-well- 
formed.  Then  in  every  state  of  e,  the  following  are  true,  for  all  i. 

(A)  If  do-T(i)  is  true,  then  dine-rrgion(i)  =  R. 

(B)  If  do-E(i)  is  true,  then  dine-rcgion(i)  =  C. 

Proof:  Let  e  =  soaiSj . . .  amsm  . . ..  We  proceed  by  induction  on  m,  which  indexes 
the  states  of  c. 


(A)  and  (B)  are  obviously  true  of  s<j»  since  it  is  a  start  state.  Assuming  (A) 
and  (B)  are  true  of  sm_i,  we  show  they  are  true  of  sm.  We  need  only  consider  the 
following  values  for  am. 

Case  1:  am  =  Tj(J?). 
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(A)  If  dine-region(i)  =  R  in  sm_i ,  then  by  code.  If  4ine-region(i)  ^  R  in 
then  by  induction  hypothesis  for  (A),  do-Ti  is  false  in  sm_i;  since  by  code  it  is  still 
false  in  sm,  we  are  done. 

(D)  By  the  induction  hypothesis,  since  there  is  no  relevant  change. 

Case  2:  am  =s  C;.  First  note  that  <i| . . .  \ F-TCERi  ends  in  7),  by  dining- 

well-formedness. 

Claims  about  sm~\: 

1.  dine-region(i)  =  T,  by  above  note  and  Lemma  1(c). 

2.  do-T(i)  =  false,  by  Claim  1  and  (A). 

(A)  by  Claim  2  and  code,  vacuous. 

(B)  by  code. 

Cast  S:  am  =  J?,\  First  note  that  a\  ...am~\\F‘TCERi  ends  in  E{  by  dining- 
wcll-fonncdncss. 

Claims  about  s,„_ j: 

1.  dine-region(i)  =s  E,  by  above  note  and  Lemma  1(c). 

2.  do-E(i)  =  false,  by  Claim  1  and  (B). 

(A)  by  code. 

(B)  by  Claim  2  and  code,  vacuous. 

Case  J:  am  =  C'i(D). 

(A)  and  (B)  by  induction  hypothesis  and  code. 

Case  5:  am  =  T;. 

(A)  by  code. 

(B)  By  (A)  and  precondition,  drink-rcgion{i)  =  R  in  s„,_i.  By  (B),  do-E{i)  = 
false  in  s,„_i,  and  still  in  s,„. 

Case  6:  a,n  =  £,. 

(A)  By  (B)  and  precondition,  drink~region(i)  =  C  in  s,„_ x.  By  (A),  do.T(i)  = 
false  in  s„,_j,  and  still  in  sln. 
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(B)  by  code. 


□ 


Lemma  12:  Suppose  Dinc(B)  solves  the  dining  philosophers  problem.  Let  t  be 
an  execution  of  Drink(B)  whose  schedule  is  drinking-well-formed.  The  following 
predicates  are  true  in  every  state  of  e,  for  any  i,  j  and  b. 

(A)  If  there  is  a  current  dem(b)  message  in  bujS[i,j),  then 

(a)  drink-rtgion(i)  =  T, 

(b)  dine-region(i)  =s  C, 

(c)  b  is  in  req-bottlcs(i),  and 

(d)  do-E(i)  is  false. 

(B)  There  is  at  most  one  current  dem(b)  message  in  bufftij). 

(C)  There  is  at  most  one  non-current  dem(b)  message  in  bu/fiij). 

Proof:  Let  e  =  do<*i •  •  •  umsm  . . ..  We  proceed  by  induction  on  m,  winch  indexes 
the  states  of  e. 

(A)  through  (C)  are  obviously  true  of  Jo,  since  it  is  a  start  state.  Assuming 
(A)  through  (C)  are  true  of  sm-i,  we  show  that  they  are  true  of  sm.  We  consider 
every  possible  value  of  om.  By  Lemma  6(a),  schcd(e)  is  dining-well-formed. 

Case  1:  am  =  Tj(B).  Only  messages  in  buff[i,j)>  for  all  j,  are  affected. 

Remark:  By  drinking-well-formedness,  «j . . .  am_i  |B-it  TCER;  ends  in  Iti(B') 
for  some  B\  or  is  empty. 

Claims  about  : 

1.  drink-region(i )  =  R,  by  Remark  and  Lemma  1(a). 

2.  No  current  dem(b)  is  in  bvjj[itj)  for  any  b  and  j,  by  Claim  1  and  (A-a). 

3.  At  most  one  non-current  dem(b)  is  in  bujff(i,j)  for  any  b  and  j,  by  (C). 

Claims  about  sm: 

4.  No  current  dem(b)  is  in  bujfti,j)  for  any  h  and  j,  by  Claim  2  and  code. 

5.  At  most  one  non-current  dem(b)  is  in  buff{i,j)  for  any  b  and  j,  by  Claim  3  and 
code. 

(A)  By  Claim  4,  vacuously  true  for  buffiij)  for  all  j. 

(B)  By  Claim  4  for  bufl(ij)  for  all  j. 
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(C)  By  Claim  5  for  buffi,  j)  for  all  j. 


Case  2:  am  =  Ei(B).  Only  detn(b)  messages  in  buffi,  j)  and  buffi,  i)  are 
affected,  where  (b,j)  is  in  deferrtd(i)  in  Fix  such  a  b  and  j. 

Remark:  By  drinking- well-formedness.  _i  \D-TCERi  ends  in  C'i(B). 


Claims  about  $m- 1* 

1.  drink-region(i)  —  C,  by  Remark  and  Lemma  1(a). 

2.  No  current  dem{b)  is  in  buffi,  j),  by  Claim  1  and  (A-a). 

3.  At  most  one  non-current  dcm(b)  is  in  buffi,  j),  by  (C). 

4.  b  is  in  bottlcs(i),  by  choice  of  b  and  Lemma  3  (B-a). 

5.  If  dem(b)  is  in  buffi,  i),  then  dem(b)  is  current,  by  Claim  4. 

6.  At  most  one  dem(b)  is  in  buffi,  i),  by  Claim  5  and  (B). 

Claims  about  sm: 

7.  No  current  detn(b)  is  in  buffi,  j),  by  Claim  2  and  code. 

8.  At  most  one  non-current  dem(b)  is  in  buffij),  by  Claim  3  and  code. 

9.  At  most  one  dem(b)  is  in  buffi,  /),  by  Claim  6  and  code. 

(A)  By  Claim  7  for  buffi,  j).  No  relevant  change  for  buffi,  i). 

(B)  By  Claim  7  for  bufl[i,j).  By  Claim  9  for  buffi,  i). 

(C)  By  Claim  8  for  buffi,  j).  By  Claim  9  for  buffi, i). 


Case  3:  am  =  delivei{$ut(b),j,i).  The  only  messages  affected  are  dem(b)  in 
buffi,  j)  or  buffi, i). 

Claims  about  s,„_j  .* 

1.  sat(b)  is  at  the  head  of  btiffij),  by  precondition. 

2.  If  dem(b)  is  in  buffi,  i),  then  it  is  current,  by  Claim  1. 

3.  At  most  one  dem[b)  is  in  buffi,  i),  by  Claim  2  and  (B). 

4.  If  dem(b)  is  in  buffi,  j),  then  it  is  current,  by  Claim  1. 

5.  At  most  one  dem(b )  is  in  buffi,  j),  by  Claim  4  and  (B). 

Cluims  about  sm: 

6.  At  most  one  dcm(b)  is  in  buffi,  i),  by  Claim  3  and  code. 
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7.  At  most  one  dem(b)  is  in  buff{ij),  by  Clnim  5  and  cotie. 

(A)  No  relevant  changes  arc  made. 

(B)  By  Claims  6  and  7. 

(C)  By  Claims  6  and  7. 


Case  4:  am  =  deliver(req(b)J%  i, ).  If  the  request  is  deferred,  there  is  no  relevant 
change.  Suppose  the  request  is  satisfied,  i.c.,  sat(b)  is  added  to  bttffcij).  The  only 
messages  affected  are  dem(b)  in  bujfiij)  or  bujfijii). 

Claims  about  sm_i : 

1.  req(b)  is  at  the  head  of  buJJ[  jyi)y  by  precondition. 

2.  b  is  in  bottles(i),  by  Claim  1  and  Lemma  3  (C). 

3.  If  dem(b)  is  in  bufl(j,i)y  then  it  is  current,  by  Claim  2. 

4.  At  most  one  dem(b)  is  in  bujftj,  t),  by  Claim  3  and  (B). 

5.  b  is  in  Di  D  Bj ,  by  Claim  1  and  Lemma  1(d). 

6.  If  dem(Jb)  is  in  bufftij),  then  it  is  not  current,  by  Claims  2  and  5  and  Lemma  3 

(A). 

7.  At  most  one  dem(b)  is  in  bufftij),  by  Claim  6  and  (C). 

Claims  about  sm: 

8.  At  most  one  dem(b)  is  in  bufftj,  *),  by  Clnim  4  and  code. 

9.  At  most  one  dem(b)  is  in  bufi(i,j),  by  Claim  7  nnd  code. 

(A)  No  relevant  change. 

(B)  By  Claims  8  and  9. 

(C)  By  Claims  8  and  9. 


Case  5:  am  =  dcliver(dem(b),j,  i).  If  b  is  not  iu  bottles(i)  in  s„»-i,  then  there 
is  no  relevant  change.  Suppose  b  is  in  bottles(i)  in  .  The  only  messages  affected 
are  dem(b)  in  bufi(i,j)  or  hufftj^). 

Claims  about  sm_ 

1.  dem{b)  is  at  the  head  of  bujftj^  i),  by  precondition. 
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2.  b  is  in  bottles(i ),  by  Assumption. 

3.  If  dem(b)  is  in  buffi  ;,/),  then  it  is  current,  by  Claim  1. 

4.  There  is  exactly  one  dcm(b)  in  buffij ,  i) ,  by  Claims  1  and  3. 

5.  b  is  in  D{  fl  i?/,  by  Claim  1  and  Lenunn  1(d). 

6.  If  dcm(b)  is  in  buffiij ),  then  it  is  non-current,  by  Claim  2  and  Lemma  3  (A). 

7.  There  is  at  most  one  dcm(b)  in  buffiij ),  by  Claim  6  and  (C). 

Claims  about  sm: 

S.  There  is  no  dcm(b)  in  buffij , »),  by  Claim  4  and  code. 

9.  There  is  at  most  one  dcm(b)  in  buffiij ),  by  Claim  7  and  code. 

10.  If  dcm(b)  is  in  buffiij ),  then  it  is  non-current,  by  Claim  6  and  code  (i.c.,  sat(b) 
is  added  to  the  end  of  buffiij) ,  if  it  is  added  at  all). 

(A)  By  Claims  8  and  10. 

(B)  By  Claims  9  and  10. 

(C)  By  Claims  9  and  10. 


Case  C:  am  =  Cf.  First,  suppose  drink-rc<jion{i)  ^  T  in  sm_j.  Then  by  (A-d), 
no  current  dcm(b)  message  is  in  buffiij ),  for  any  b  and  j,  in  Thus,  setting 
do-E(i)  to  true  in  s„,  does  not  falsify  (A-d).  There  is  no  relevant  chnnge  for  the 
rest  of  the  invariants. 

Now  suppose  drink-rtgion[i)  =  T  in  | ,  We  need  only  consider  a  dcm(b) 
added  to  some  buffiij)  in  sm.  Fix  such  a  b  and  j. 

Remark:  By  dining- well-formedness,  «j . .  .<im-i\F-TCERi  ends  in  T). 

Claims  about  s,„_i : 

1.  dinc-rcgion(i)  =  T,  by  Remark  and  Lemma  1(e). 

2.  If  dem(b)  is  in  buffiij ),  then  it.  is  non-current,  by  Claim  1  and  (A-b). 

3.  At  most  one  dem(b)  is  in  buffiij ),  by  Claim  2  and  (C). 

4.  b  is  not  in  bottles{i ),  by  code  and  choice  of  b. 

5.  sat(b)  is  in  buffiij ),  or  b  is  in  bottlcs{j)t  or  sat(b)  is  in  buffij ,*),  by  Claim  4  and 
Lemma  3  (A). 

6.  drink-Tcgion(i )  =  T,  by  assumption. 

7.  b  is  in  req-bottles[i ),  by  choice  of  6. 

8.  do-E{i )  is  false,  by  Claim  1  and  Lemma  5  (B). 
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Claim s  about  sm: 

9.  The  dem(b)  message  added  to  bufftij)  is  current,  by  Claim  5  and  code. 

10.  drink*region(i)  =  T,  dinc*region(i)  =  C,  6  is  in  rcq-boitlcs(i),  and  do-E(i)  is 
false,  by  Claims  6,  7  and  8  and  code. 

11.  One  current  dem(b)  message  is  in  hujfcij),  by  Claims  2  and  9  and  code. 

(A)  By  Claim  10. 

(B)  By  Claim  11. 

(C)  No  relevant  change. 


Case  7:  am  =  /?;.  The  only  relevant  change  is  to  dinc-rcgion(i ),  affecting  (A-b) 
for  i.  By  dining-well-formedness,  <ij . . .  om_j  | F-TCERi  ends  in  £?;.  By  Lemma  1(c), 
dine-region(i)  =  E  in  sm_ *,  so  by  (A-b)  there  is  no  current  dem(b)  in  bufftij),  for 
any  b  and  j  in  sm_ j.  By  code,  the  same  is  true  in  sm,  so  (A-b)  for  i  is  vacuously 
true  in  sm. 


Case  8:  am  -  Ci(D).  The  only  relevant  change  is  to  ifo-JS(i),  affecting  (A-d) 
for  i.  By  precondition  ( rcq-bottlc*(i )  a  subset  of  botiles(i))  and  (A-c),  there  is  no 
current  dem(b)  in  buffet  J),  for  any  b  and  j .  By  code,  the  same  is  true  in  am,  so 
(A-d)  for  t  is  vacuously  true  in 


Case  9:  am  =  Ri(B).  The  only  change  is  to  drink-Tcgion(i),  affecting  (A-a)  for 
i.  By  precondition,  drink-rcgion(i.)  =  E  in  so  by  (A-a),  there  is  no  current 
dem(b)  in  j),  for  any  b  and  j.  By  code,  the  same  is  true  in  ,  so  (A-a)  for  i 
is  vacuously  true  in 


Case  10:  am  —  T;.  The  only  relevant  change  is  to  dine-region(i),  affecting 
(A-b)  for  i.  By  precondition  and  Lemma  5  (A),  dinc-rcgion(i)  =  R  in  sm_ j,  so  by 
(A-b),  there  is  no  current  dtm{b )  in  bujftij),  for  any  b  and  j.  By  code,  the  same 
is  true  in  sm,  so  (A-b)  for  i  is  vacuously  true  in  s,„. 
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Cn,<c  11:  «„ i  =  B{.  The  only  changes  are  lo  dinv.-rcgiontf)  and  do-E(i)y  affect- 
ing  (A-b)  and  (A«d)  for  i.  By  precondition  and  (A-b),  there  is  no  current  dcm(b) 
in  j),  for  any  b  and  j.  By  code,  the  same  is  true  in  smi  so  (A-b)  and  (A-d) 
for  i  are  vacuously  true  in  □ 
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